Monthly
Denial of service in Juniper Networks Junos OS on SRX Series allows unauthenticated remote attackers to crash srxpfe process via malformed ICMPv6 packets during NAT64 translation. Repeated exploitation sustains DoS by forcing continuous process restarts. Affects wide range of Junos OS versions from 21.2 through 25.2 on SRX hardware. Vulnerability limited to ICMPv6 traffic; IPv4 and standard IPv6 cannot trigger. No public exploit identified at time of analysis.
Denial of service in Juniper Networks Junos OS chassis control daemon (chassisd) on SRX1500, SRX4100, SRX4200, and SRX4600 allows local attackers with low privileges to crash the daemon via a specific 'show chassis' CLI command, causing complete traffic disruption until modules restart. The vulnerability affects Junos OS versions 23.2 before 23.2R2-S6, 23.4 before 23.4R2-S7, 24.2 before 24.2R2-S2, 24.4 before 24.4R2, and 25.2 before 25.2R1-S1 or 25.2R2. No public exploit code or active exploitation has been identified at time of analysis.
Packet buffer allocation failure in Juniper EX4000 and QFX5000 Series switches allows adjacent unauthenticated attackers to cause persistent Denial of Service requiring manual device restart. Attack vector requires specific configuration: device configured as service-provider edge with L2PT enabled on UNI and VSTP enabled on NNI in VXLAN scenarios. Receiving VSTP BPDUs on UNI triggers buffer exhaustion, halting all traffic forwarding. Affects Junos OS 24.4 through 24.4R1, 25.2 through 25.2R1. No public exploit identified at time of analysis.
Firewall filter bypass in Juniper Networks Junos OS on MX Series allows unauthenticated network-based attackers to access the control plane by exploiting improper exception handling in the packet forwarding engine when firewall filters are applied to non-zero loopback interfaces in the default routing instance. Affected MX platforms with MPC10, MPC11, LC4800, LC9600 line cards and MX304 models running Junos OS versions before 23.2R2-S6, 23.4R2-S7, 24.2R2, or 24.4R2 fail to enforce configured lo0.n ingress filters, allowing bypass of access controls designed to protect critical infrastructure management interfaces. No public exploit identified at time of analysis, but the vulnerability requires only network access and no authentication to trigger.
Denial of service in Juniper Junos OS chassis control daemon (chassisd) on SRX1600, SRX2300, and SRX4300 devices allows local attackers with low privileges to trigger a complete crash via a specific 'show chassis' CLI command, causing temporary traffic disruption until module recovery. Junos OS 24.4 versions before 24.4R1-S3 and 24.4R2 are affected; no public exploit code identified at time of analysis.
Incorrect transaction broadcast failure detection in BSV Ruby SDK 0.1.0 through 0.8.1 allows unauthenticated remote attackers to manipulate application logic by exploiting incomplete ARC response validation. The SDK's BSV::Network::ARC module only recognizes REJECTED and DOUBLE_SPEND_ATTEMPTED status codes as failures, silently treating INVALID, MALFORMED, MINED_IN_STALE_BLOCK, and ORPHAN-containing responses as successful broadcasts. Applications relying on broadcast confirmation for gating critical actions accept failed transactions as valid, enabling integrity compromise in blockchain-dependent workflows. No public exploit identified at time of analysis.
OpenSSL 3.0.0 through 3.6.1 leaks uninitialized memory contents to remote attackers through flawed RSA key encapsulation (RSASVE). Applications using EVP_PKEY_encapsulate() with attacker-supplied invalid RSA public keys can expose stale process memory containing sensitive data due to improper error handling in RSA_public_encrypt(). The vulnerability requires no authentication (CVSS AV:N/PR:N) but has low exploitation probability (EPSS 0.01%). Vendor patches are available for all affected 3.x branches. No active exploitation confirmed (not in CISA KEV), but multiple GitHub commits provide upstream fixes.
Cosign verify-blob-attestation incorrectly validates attestation signatures and predicate types in versions before 3.0.6 and 2.6.3, allowing remote attackers to bypass integrity verification by submitting malformed attestations or mismatched predicate types that are falsely reported as verified. The vulnerability affects container and binary code signing workflows where attestation integrity is critical for supply chain security.
Handlebars.js template engine crashes Node.js processes when compiling templates containing unregistered decorator syntax (e.g., {{*n}}), enabling single-request denial-of-service attacks against applications that accept user-supplied templates. The vulnerability affects the npm package handlebars (pkg:npm/handlebars) and has CVSS score 7.5 (AV:N/AC:L/PR:N/UI:N). A functional proof-of-concept demonstrating the crash exists in the public advisory, confirming exploit code is publicly available. No active exploitation (CISA KEV) has been reported at time of analysis.
Mattermost Plugins versions 11.4 and earlier, including 10.11.11.0, fail to validate webhook request timestamps, enabling attackers with high privileges to replay webhook requests and corrupt Zoom meeting state within Mattermost deployments. The vulnerability carries a CVSS score of 2.2 with low attack complexity but requires high-privilege authentication; no public exploit has been identified at time of analysis, and CISA has not flagged this for active exploitation.
Denial of service in Juniper Networks Junos OS on SRX Series allows unauthenticated remote attackers to crash srxpfe process via malformed ICMPv6 packets during NAT64 translation. Repeated exploitation sustains DoS by forcing continuous process restarts. Affects wide range of Junos OS versions from 21.2 through 25.2 on SRX hardware. Vulnerability limited to ICMPv6 traffic; IPv4 and standard IPv6 cannot trigger. No public exploit identified at time of analysis.
Denial of service in Juniper Networks Junos OS chassis control daemon (chassisd) on SRX1500, SRX4100, SRX4200, and SRX4600 allows local attackers with low privileges to crash the daemon via a specific 'show chassis' CLI command, causing complete traffic disruption until modules restart. The vulnerability affects Junos OS versions 23.2 before 23.2R2-S6, 23.4 before 23.4R2-S7, 24.2 before 24.2R2-S2, 24.4 before 24.4R2, and 25.2 before 25.2R1-S1 or 25.2R2. No public exploit code or active exploitation has been identified at time of analysis.
Packet buffer allocation failure in Juniper EX4000 and QFX5000 Series switches allows adjacent unauthenticated attackers to cause persistent Denial of Service requiring manual device restart. Attack vector requires specific configuration: device configured as service-provider edge with L2PT enabled on UNI and VSTP enabled on NNI in VXLAN scenarios. Receiving VSTP BPDUs on UNI triggers buffer exhaustion, halting all traffic forwarding. Affects Junos OS 24.4 through 24.4R1, 25.2 through 25.2R1. No public exploit identified at time of analysis.
Firewall filter bypass in Juniper Networks Junos OS on MX Series allows unauthenticated network-based attackers to access the control plane by exploiting improper exception handling in the packet forwarding engine when firewall filters are applied to non-zero loopback interfaces in the default routing instance. Affected MX platforms with MPC10, MPC11, LC4800, LC9600 line cards and MX304 models running Junos OS versions before 23.2R2-S6, 23.4R2-S7, 24.2R2, or 24.4R2 fail to enforce configured lo0.n ingress filters, allowing bypass of access controls designed to protect critical infrastructure management interfaces. No public exploit identified at time of analysis, but the vulnerability requires only network access and no authentication to trigger.
Denial of service in Juniper Junos OS chassis control daemon (chassisd) on SRX1600, SRX2300, and SRX4300 devices allows local attackers with low privileges to trigger a complete crash via a specific 'show chassis' CLI command, causing temporary traffic disruption until module recovery. Junos OS 24.4 versions before 24.4R1-S3 and 24.4R2 are affected; no public exploit code identified at time of analysis.
Incorrect transaction broadcast failure detection in BSV Ruby SDK 0.1.0 through 0.8.1 allows unauthenticated remote attackers to manipulate application logic by exploiting incomplete ARC response validation. The SDK's BSV::Network::ARC module only recognizes REJECTED and DOUBLE_SPEND_ATTEMPTED status codes as failures, silently treating INVALID, MALFORMED, MINED_IN_STALE_BLOCK, and ORPHAN-containing responses as successful broadcasts. Applications relying on broadcast confirmation for gating critical actions accept failed transactions as valid, enabling integrity compromise in blockchain-dependent workflows. No public exploit identified at time of analysis.
OpenSSL 3.0.0 through 3.6.1 leaks uninitialized memory contents to remote attackers through flawed RSA key encapsulation (RSASVE). Applications using EVP_PKEY_encapsulate() with attacker-supplied invalid RSA public keys can expose stale process memory containing sensitive data due to improper error handling in RSA_public_encrypt(). The vulnerability requires no authentication (CVSS AV:N/PR:N) but has low exploitation probability (EPSS 0.01%). Vendor patches are available for all affected 3.x branches. No active exploitation confirmed (not in CISA KEV), but multiple GitHub commits provide upstream fixes.
Cosign verify-blob-attestation incorrectly validates attestation signatures and predicate types in versions before 3.0.6 and 2.6.3, allowing remote attackers to bypass integrity verification by submitting malformed attestations or mismatched predicate types that are falsely reported as verified. The vulnerability affects container and binary code signing workflows where attestation integrity is critical for supply chain security.
Handlebars.js template engine crashes Node.js processes when compiling templates containing unregistered decorator syntax (e.g., {{*n}}), enabling single-request denial-of-service attacks against applications that accept user-supplied templates. The vulnerability affects the npm package handlebars (pkg:npm/handlebars) and has CVSS score 7.5 (AV:N/AC:L/PR:N/UI:N). A functional proof-of-concept demonstrating the crash exists in the public advisory, confirming exploit code is publicly available. No active exploitation (CISA KEV) has been reported at time of analysis.
Mattermost Plugins versions 11.4 and earlier, including 10.11.11.0, fail to validate webhook request timestamps, enabling attackers with high privileges to replay webhook requests and corrupt Zoom meeting state within Mattermost deployments. The vulnerability carries a CVSS score of 2.2 with low attack complexity but requires high-privilege authentication; no public exploit has been identified at time of analysis, and CISA has not flagged this for active exploitation.