Monthly
Step CA versions 0.24.0 through 0.30.0-rc2 suffer a denial-of-service vulnerability where an attacker can trigger an index out-of-bounds panic by sending a crafted TPM attestation key certificate with an empty Extended Key Usage extension during device-attest-01 ACME challenges. The vulnerability affects only deployments that have explicitly configured TPM device attestation; organizations using Step CA for standard certificate management are unaffected. While the CVSS score is low (3.7), the attack is unauthenticated and remotely triggerable, potentially causing service disruption in vulnerable configurations.
Wasmtime prior to versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 fails to properly validate pointer alignment when transcoding strings into UTF-16 or Latin-1+UTF-16 encodings within the Component Model, allowing authenticated malicious WebAssembly guests to trigger host panics by passing specially crafted unaligned pointers across component boundaries. This denial-of-service vulnerability requires authenticated access and specific string configurations but results in controllable host crashes. CVSS score 5.9 reflects moderate severity with attack vector network and authentication requirement; SSVC framework rates exploitation as not yet observed with non-automatable exploitation.
Heap-based buffer overflow in LibRaw's lossless JPEG processing (commits 0b56545 and d20315b) allows unauthenticated remote attackers to achieve arbitrary code execution by providing a malicious image file. The vulnerability scores CVSS 9.8 (Critical) with network attack vector, low complexity, and no authentication required. No CISA KEV listing or public exploit identified at time of analysis, though Talos Intelligence has published detailed vulnerability research (TALOS-2026-2331).
Denial-of-service vulnerability in go-git v5 and earlier versions allows local attackers with write access to the repository to craft a malicious Git index file (format version 4) that triggers an out-of-bounds slice operation during parsing, causing application panic and process termination. The vulnerability requires local disk write access to the .git directory and user interaction (file opening), making it a low-severity but exploitable DoS vector for applications that do not gracefully handle panics. Patch versions v5.17.1 and v6 are available.
Ella Core contains an input validation flaw that causes the process to panic when receiving NGAP messages with PDU Session IDs outside the valid range of 1-15, enabling unauthenticated attackers to trigger denial of service affecting all connected subscribers. The vulnerability (CWE-129: Improper Validation of Array Index) carries a CVSS score of 6.5 with network-level attack vector and low complexity, though it requires low privilege context according to the vector string. No active exploitation in the wild has been confirmed, but the straightforward nature of crafting malformed NGAP messages means proof-of-concept development is feasible.
Packetbeat contains an improper array index validation vulnerability (CWE-129) in its protocol parser components that allows attackers to trigger out-of-bounds read operations through specially crafted network packets. Affected versions include Packetbeat 8.0.0 through 8.19.10 and 9.0.0 through 9.2.4, with the vulnerability requiring network-level access or traffic control to the monitored interface. An attacker exploiting this flaw can cause denial of service through application crashes or resource exhaustion; while the CVSS score of 5.7 indicates moderate severity and there is no indication of widespread active exploitation in public KEV databases, the patch availability through Elastic's security update (ESA-2026-11) released in version 8.19.11 and 9.2.5 suggests this is a confirmed and prioritized vulnerability worthy of timely remediation.
PostgreSQL client applications using the pgproto3 Go library (github.com/jackc/pgproto3/v2) can be crashed remotely by malicious or compromised PostgreSQL servers sending specially crafted DataRow messages with negative field lengths, triggering slice bounds panics that result in denial of service. The vulnerability requires no authentication and has low attack complexity (CVSS:3.1/AV:N/AC:L/PR:N/UI:N), though the EPSS score of 0.07% (20th percentile) suggests minimal observed exploitation activity. Multiple detailed technical advisories exist including analysis from Security Infinity, and the issue is tracked in GitHub issue #2507 for the pgx project.
Out-of-bounds slice access in the Free5GC CHF nchf-convergedcharging service allows authenticated attackers to trigger server-side panics via malformed PUT requests to the recharge endpoint, causing denial of service and log flooding. An attacker with valid authentication credentials can repeatedly exploit this vulnerability to degrade recharge functionality and disrupt service availability. A patch is available to remediate this high-severity vulnerability.
Critical out-of-bounds write vulnerability in GStreamer's rtpqdm2depay component that allows remote code execution when processing malformed X-QDM RTP payloads. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction, though attack vectors vary by implementation. With a CVSS score of 8.8 and active patch available, this represents a significant risk for applications using GStreamer for media processing.
Packetbeat's PostgreSQL protocol parser improperly validates array indices, allowing authenticated attackers on the same network to crash the monitoring service by sending malicious packets. An attacker exploiting this denial-of-service vulnerability can terminate the Packetbeat process, disrupting monitoring capabilities on systems with PostgreSQL protocol monitoring enabled. No patch is currently available.
Step CA versions 0.24.0 through 0.30.0-rc2 suffer a denial-of-service vulnerability where an attacker can trigger an index out-of-bounds panic by sending a crafted TPM attestation key certificate with an empty Extended Key Usage extension during device-attest-01 ACME challenges. The vulnerability affects only deployments that have explicitly configured TPM device attestation; organizations using Step CA for standard certificate management are unaffected. While the CVSS score is low (3.7), the attack is unauthenticated and remotely triggerable, potentially causing service disruption in vulnerable configurations.
Wasmtime prior to versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 fails to properly validate pointer alignment when transcoding strings into UTF-16 or Latin-1+UTF-16 encodings within the Component Model, allowing authenticated malicious WebAssembly guests to trigger host panics by passing specially crafted unaligned pointers across component boundaries. This denial-of-service vulnerability requires authenticated access and specific string configurations but results in controllable host crashes. CVSS score 5.9 reflects moderate severity with attack vector network and authentication requirement; SSVC framework rates exploitation as not yet observed with non-automatable exploitation.
Heap-based buffer overflow in LibRaw's lossless JPEG processing (commits 0b56545 and d20315b) allows unauthenticated remote attackers to achieve arbitrary code execution by providing a malicious image file. The vulnerability scores CVSS 9.8 (Critical) with network attack vector, low complexity, and no authentication required. No CISA KEV listing or public exploit identified at time of analysis, though Talos Intelligence has published detailed vulnerability research (TALOS-2026-2331).
Denial-of-service vulnerability in go-git v5 and earlier versions allows local attackers with write access to the repository to craft a malicious Git index file (format version 4) that triggers an out-of-bounds slice operation during parsing, causing application panic and process termination. The vulnerability requires local disk write access to the .git directory and user interaction (file opening), making it a low-severity but exploitable DoS vector for applications that do not gracefully handle panics. Patch versions v5.17.1 and v6 are available.
Ella Core contains an input validation flaw that causes the process to panic when receiving NGAP messages with PDU Session IDs outside the valid range of 1-15, enabling unauthenticated attackers to trigger denial of service affecting all connected subscribers. The vulnerability (CWE-129: Improper Validation of Array Index) carries a CVSS score of 6.5 with network-level attack vector and low complexity, though it requires low privilege context according to the vector string. No active exploitation in the wild has been confirmed, but the straightforward nature of crafting malformed NGAP messages means proof-of-concept development is feasible.
Packetbeat contains an improper array index validation vulnerability (CWE-129) in its protocol parser components that allows attackers to trigger out-of-bounds read operations through specially crafted network packets. Affected versions include Packetbeat 8.0.0 through 8.19.10 and 9.0.0 through 9.2.4, with the vulnerability requiring network-level access or traffic control to the monitored interface. An attacker exploiting this flaw can cause denial of service through application crashes or resource exhaustion; while the CVSS score of 5.7 indicates moderate severity and there is no indication of widespread active exploitation in public KEV databases, the patch availability through Elastic's security update (ESA-2026-11) released in version 8.19.11 and 9.2.5 suggests this is a confirmed and prioritized vulnerability worthy of timely remediation.
PostgreSQL client applications using the pgproto3 Go library (github.com/jackc/pgproto3/v2) can be crashed remotely by malicious or compromised PostgreSQL servers sending specially crafted DataRow messages with negative field lengths, triggering slice bounds panics that result in denial of service. The vulnerability requires no authentication and has low attack complexity (CVSS:3.1/AV:N/AC:L/PR:N/UI:N), though the EPSS score of 0.07% (20th percentile) suggests minimal observed exploitation activity. Multiple detailed technical advisories exist including analysis from Security Infinity, and the issue is tracked in GitHub issue #2507 for the pgx project.
Out-of-bounds slice access in the Free5GC CHF nchf-convergedcharging service allows authenticated attackers to trigger server-side panics via malformed PUT requests to the recharge endpoint, causing denial of service and log flooding. An attacker with valid authentication credentials can repeatedly exploit this vulnerability to degrade recharge functionality and disrupt service availability. A patch is available to remediate this high-severity vulnerability.
Critical out-of-bounds write vulnerability in GStreamer's rtpqdm2depay component that allows remote code execution when processing malformed X-QDM RTP payloads. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction, though attack vectors vary by implementation. With a CVSS score of 8.8 and active patch available, this represents a significant risk for applications using GStreamer for media processing.
Packetbeat's PostgreSQL protocol parser improperly validates array indices, allowing authenticated attackers on the same network to crash the monitoring service by sending malicious packets. An attacker exploiting this denial-of-service vulnerability can terminate the Packetbeat process, disrupting monitoring capabilities on systems with PostgreSQL protocol monitoring enabled. No patch is currently available.