Monthly
Denial of service in OpenSSL QUIC implementation allows remote unauthenticated attackers to exhaust server memory by sending crafted PATH_CHALLENGE frames that trigger unbounded memory growth in the QUIC handler. The flaw affects OpenSSL branches 3.4.x, 3.5.x, 3.6.x, and 4.0.0, and is fixed in the 4.0.1 security release alongside numerous other CVEs. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the network-reachable, no-auth nature of QUIC server endpoints makes the issue operationally relevant for TLS/QUIC-facing services.
Authenticated attackers can exhaust MongoDB Server memory using malicious bitwise match expressions ($bitsAllSet, $bitsAnySet, $bitsAllClear, $bitsAnyClear), leading to out-of-memory denial of service. Affects MongoDB Server 7.0 prior to 7.0.34, 8.0 prior to 8.0.23, 8.2 prior to 8.2.9, and 8.3 prior to 8.3.2. Vendor-released patches are available across all affected major versions. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability in the wild, and no public exploit code has been identified at time of analysis.
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 causes application crash during zlib decompression in the packet dissection engine when processing malformed compressed traffic. Local attackers with user privileges can trigger the crash by opening a specially crafted pcap file or receiving a malicious packet capture, requiring user interaction but no authentication. No public exploit code or active exploitation has been identified at time of analysis.
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 allows local attackers to crash the application by triggering an unhandled exception in the LZ77 decompression engine when processing malformed compressed packet data. The vulnerability requires user interaction (opening a crafted packet capture file or receiving a malicious packet) but causes immediate application termination, impacting network analysis workflows.
Wireshark versions 4.6.0-4.6.4 and 4.4.0-4.4.14 crash when processing malformed WebSocket protocol packets, enabling local denial of service. An attacker with the ability to trigger packet dissection-either by crafting a malicious PCAP file or intercepting traffic on a local network-can force the application to crash by supplying a WebSocket frame that triggers an unhandled error condition in the protocol dissector. The vulnerability requires user interaction (opening a file or navigating to a network interface) and operates at local scope, resulting in application unavailability rather than code execution.
Wireshark SMB2 protocol dissector crashes when processing malformed packets, causing denial of service in versions 4.6.0-4.6.4 and 4.4.0-4.4.14. A local attacker with low privileges can trigger the crash by crafting a malicious SMB2 packet and inducing the user to open it in Wireshark, resulting in application termination and loss of packet capture capability. No public exploit code or active exploitation in the wild has been identified at the time of analysis.
Wireshark 4.6.0-4.6.3 and 4.4.0-4.4.13 can be crashed through memory exhaustion in the USB HID protocol dissector when processing malformed packets. A local attacker with the ability to trigger packet analysis can cause a denial of service condition, and public exploit code exists for this vulnerability. No patch is currently available.
Improperly Controlled Sequential Memory Allocation vulnerability in foxinmy weixin4j (weixin4j-base/src/main/java/com/foxinmy/weixin4j/util modules). This vulnerability is associated with program files CharArrayBuffer.Java, ClassUtil.Java.
HTTP3 dissector crash in Wireshark 4.6.0 and 4.6.1 allows denial of service
A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Denial of service in OpenSSL QUIC implementation allows remote unauthenticated attackers to exhaust server memory by sending crafted PATH_CHALLENGE frames that trigger unbounded memory growth in the QUIC handler. The flaw affects OpenSSL branches 3.4.x, 3.5.x, 3.6.x, and 4.0.0, and is fixed in the 4.0.1 security release alongside numerous other CVEs. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the network-reachable, no-auth nature of QUIC server endpoints makes the issue operationally relevant for TLS/QUIC-facing services.
Authenticated attackers can exhaust MongoDB Server memory using malicious bitwise match expressions ($bitsAllSet, $bitsAnySet, $bitsAllClear, $bitsAnyClear), leading to out-of-memory denial of service. Affects MongoDB Server 7.0 prior to 7.0.34, 8.0 prior to 8.0.23, 8.2 prior to 8.2.9, and 8.3 prior to 8.3.2. Vendor-released patches are available across all affected major versions. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability in the wild, and no public exploit code has been identified at time of analysis.
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 causes application crash during zlib decompression in the packet dissection engine when processing malformed compressed traffic. Local attackers with user privileges can trigger the crash by opening a specially crafted pcap file or receiving a malicious packet capture, requiring user interaction but no authentication. No public exploit code or active exploitation has been identified at time of analysis.
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 allows local attackers to crash the application by triggering an unhandled exception in the LZ77 decompression engine when processing malformed compressed packet data. The vulnerability requires user interaction (opening a crafted packet capture file or receiving a malicious packet) but causes immediate application termination, impacting network analysis workflows.
Wireshark versions 4.6.0-4.6.4 and 4.4.0-4.4.14 crash when processing malformed WebSocket protocol packets, enabling local denial of service. An attacker with the ability to trigger packet dissection-either by crafting a malicious PCAP file or intercepting traffic on a local network-can force the application to crash by supplying a WebSocket frame that triggers an unhandled error condition in the protocol dissector. The vulnerability requires user interaction (opening a file or navigating to a network interface) and operates at local scope, resulting in application unavailability rather than code execution.
Wireshark SMB2 protocol dissector crashes when processing malformed packets, causing denial of service in versions 4.6.0-4.6.4 and 4.4.0-4.4.14. A local attacker with low privileges can trigger the crash by crafting a malicious SMB2 packet and inducing the user to open it in Wireshark, resulting in application termination and loss of packet capture capability. No public exploit code or active exploitation in the wild has been identified at the time of analysis.
Wireshark 4.6.0-4.6.3 and 4.4.0-4.4.13 can be crashed through memory exhaustion in the USB HID protocol dissector when processing malformed packets. A local attacker with the ability to trigger packet analysis can cause a denial of service condition, and public exploit code exists for this vulnerability. No patch is currently available.
Improperly Controlled Sequential Memory Allocation vulnerability in foxinmy weixin4j (weixin4j-base/src/main/java/com/foxinmy/weixin4j/util modules). This vulnerability is associated with program files CharArrayBuffer.Java, ClassUtil.Java.
HTTP3 dissector crash in Wireshark 4.6.0 and 4.6.1 allows denial of service
A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.