Skip to main content
CVE-2026-6988 HIGH POC This Week

Remote authenticated attackers can execute arbitrary code on Tenda HG10 routers (firmware HG7_HG9_HG10re_300001138_en_xpon) by sending a malformed 'nextHop' parameter to the /boaform/formRouting endpoint in the Boa web service. This buffer overflow vulnerability has publicly available exploit code on GitHub and is rated 8.8 (High) with low attack complexity. EPSS data unavailable; not currently listed in CISA KEV. Successful exploitation requires only low-privilege authentication and grants full device compromise (confidentiality, integrity, and availability impact).

Buffer Overflow Tenda
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-41163 HIGH PATCH This Week

Privilege escalation in bubblewrap 0.11.x when installed setuid root allows local attackers to escape sandbox isolation via ptrace attachment during low-privileged setup phases. The vendor confirmed active exploitation risk by releasing emergency v0.11.2 patch and immediately deprecating setuid mode entirely. CVSS 8.7 severity reflects high integrity impact from sandbox breakout, though exploitation requires local access to a setuid-configured bubblewrap binary (non-default in most distributions).

Privilege Escalation
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-6951 HIGH PATCH GHSA This Week

Remote code execution in simple-git before 3.36.0 allows unauthenticated attackers to execute arbitrary commands via incomplete sanitization of command-line options. The vulnerability bypasses the prior CVE-2022-25912 fix by accepting --config instead of the blocked -c flag, enabling protocol.ext.allow=always configuration and malicious ext:: URLs. Publicly available exploit code exists (POC confirmed), with EPSS score of 0.08% indicating low current exploitation probability despite the theoretical severity. SSVC framework classifies this as automatable with total technical impact.

Code Injection RCE Simple Git
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-41520 HIGH PATCH GHSA This Week

WireGuard private keys leak through Cilium debugging tools in deployments using transparent encryption. Cilium's cilium-bugtool and cilium sysdump command expose the node-to-node WireGuard encryption private key (cilium_wg0.key) in output archives. Attackers with high-privilege local access to these diagnostic outputs can decrypt past and future inter-node traffic. Affects all Cilium versions prior to v1.17.15, v1.18.0-v1.18.8, and v1.19.0-v1.19.2. Patches released in v1.17.15, v1.18.9, and v1.19.3. No public exploit identified at time of analysis, but exploitation requires only access to previously shared bugtool/sysdump archives.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.9
EPSS
0.0%
CVE-2026-31683 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: batman-adv: avoid OGM aggregation when skb tailroom is insufficient When OGM aggregation state is toggled at runtime, an existing forwarded packet may have been allocated with only packet_len bytes, while a later packet can still be selected for aggregation. Appending in this case can hit skb_put overflow conditions. Reject aggregation when the target skb tailroom cannot accommodate the new packet. The caller then falls back to creating a new forward packet instead of appending.

Buffer Overflow Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31680 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: net: ipv6: flowlabel: defer exclusive option free until RCU teardown `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file RCU read-side lock and prints `fl->opt->opt_nflen` when an option block is present. Exclusive flowlabels currently free `fl->opt` as soon as `fl->users` drops to zero in `fl_release()`. However, the surrounding `struct ip6_flowlabel` remains visible in the global hash table until later garbage collection removes it and `fl_free_rcu()` finally tears it down. A concurrent `/proc/net/ip6_flowlabel` reader can therefore race that early `kfree()` and dereference freed option state, triggering a crash in `ip6fl_seq_show()`. Fix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matches the lifetime already required for the enclosing flowlabel while readers can still reach it under RCU.

Denial Of Service Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31678 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: openvswitch: defer tunnel netdev_put to RCU release ovs_netdev_tunnel_destroy() may run after NETDEV_UNREGISTER already detached the device. Dropping the netdev reference in destroy can race with concurrent readers that still observe vport->dev. Do not release vport->dev in ovs_netdev_tunnel_destroy(). Instead, let vport_netdev_free() drop the reference from the RCU callback, matching the non-tunnel destroy path and avoiding additional synchronization under RTNL.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31675 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_netem: fix out-of-bounds access in packet corruption In netem_enqueue(), the packet corruption logic uses get_random_u32_below(skb_headlen(skb)) to select an index for modifying skb->data. When an AF_PACKET TX_RING sends fully non-linear packets over an IPIP tunnel, skb_headlen(skb) evaluates to 0. Passing 0 to get_random_u32_below() takes the variable-ceil slow path which returns an unconstrained 32-bit random integer. Using this unconstrained value as an offset into skb->data results in an out-of-bounds memory access. Fix this by verifying skb_headlen(skb) is non-zero before attempting to corrupt the linear data area. Fully non-linear packets will silently bypass the corruption logic.

Buffer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31673 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: af_unix: read UNIX_DIAG_VFS data under unix_state_lock Exact UNIX diag lookups hold a reference to the socket, but not to u->path. Meanwhile, unix_release_sock() clears u->path under unix_state_lock() and drops the path reference after unlocking. Read the inode and device numbers for UNIX_DIAG_VFS while holding unix_state_lock(), then emit the netlink attribute after dropping the lock. This keeps the VFS data stable while the reply is being built.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-31676 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: rxrpc: only handle RESPONSE during service challenge Only process RESPONSE packets while the service connection is still in RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before running response verification and security initialization, then use a local secured flag to decide whether to queue the secured-connection work after the state transition. This keeps duplicate or late RESPONSE packets from re-running the setup path and removes the unlocked post-transition state test.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-6992 HIGH This Week

OS command injection in Linksys MR9600 router firmware 2.0.6.206937 allows authenticated administrators to execute arbitrary system commands via crafted 'pin' parameter to the BTRequestGetSmartConnectStatus JNAP action handler. Publicly available exploit code exists (CVSS E:P), enabling remote compromise of router with full system-level access. Vendor notified but unresponsive, leaving users without confirmed patch. EPSS data not available; CVSS 7.3 severity reflects high impact limited by high privilege requirement (PR:H).

Linksys Command Injection
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-31679 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: openvswitch: validate MPLS set/set_masked payload length validate_set() accepted OVS_KEY_ATTR_MPLS as variable-sized payload for SET/SET_MASKED actions. In action handling, OVS expects fixed-size MPLS key data (struct ovs_key_mpls). Use the already normalized key_len (masked case included) and reject non-matching MPLS action key sizes. Reject invalid MPLS action payload lengths early.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-31674 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() Reject rt match rules whose addrnr exceeds IP6T_RT_HOPS. rt_mt6() expects addrnr to stay within the bounds of rtinfo->addrs[]. Validate addrnr during rule installation so malformed rules are rejected before the match logic can use an out-of-range value.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy