Red Hat
Monthly
This is an authentication and authorization bypass vulnerability in etcd's gRPC API layer that allows unauthorized users to execute privileged operations when etcd auth is enabled. Affected are etcd versions prior to 3.4.42, 3.5.28, and 3.6.9 (specifically the Go packages go.etcd.io/etcd/v3 and go.etcd.io/etcd). Attackers can enumerate cluster topology via MemberList, trigger denial of service through Alarm APIs, manipulate Lease operations affecting TTL-based keys, and force compaction to permanently delete historical data. Standard Kubernetes deployments are not affected as they do not rely on etcd's built-in authentication. No EPSS score or KEV listing is currently available, and the vulnerability was responsibly disclosed by multiple security researchers.
An authenticated user with restricted RBAC permissions on specific key ranges in etcd can use nested transactions to completely bypass key-level authorization controls and access the entire etcd data store. This affects etcd versions 3.4.x before 3.4.42, 3.5.x before 3.5.28, and 3.6.x before 3.6.9. While Kubernetes deployments are typically protected because Kubernetes handles authentication and authorization at the API server layer rather than relying on etcd's built-in controls, direct etcd deployments with RBAC restrictions are at significant risk.
libfuse versions 3.18.0 through 3.18.1 contain a NULL pointer dereference and memory leak vulnerability in the fuse_uring_init_queue function that affects only the io_uring transport implementation. A local user with low privileges can trigger this vulnerability to crash the FUSE daemon or exhaust system resources through repeated exploitation. A proof-of-concept has been confirmed with AddressSanitizer and LeakSanitizer, demonstrating both the NULL dereference condition and memory leak when numa_alloc_local or fuse_uring_register_queue fail.
Authenticated users can trigger a heap overflow in MariaDB 11.4 (before 11.4.10) and 11.8 (before 11.8.6) through the JSON_SCHEMA_VALID() function, causing denial of service and potentially remote code execution under specific memory layout conditions. The vulnerability requires valid database credentials and affects server availability and integrity across scope boundaries. No patch is currently available for vulnerable versions.
The tar-rs library versions 0.4.44 and below contain a symlink-following vulnerability in the unpack_dir function that allows attackers to modify permissions on arbitrary directories outside the extraction root. An attacker can craft a malicious tarball containing a symlink entry followed by a directory entry with the same name; when unpacked, the library follows the symlink and applies chmod to the target directory rather than validating it resides within the extraction root. This vulnerability has a CVSS score of 5.1 with network accessibility and low attack complexity, making it exploitable by remote attackers without privileges or special user interaction beyond accepting a crafted archive.
A race condition exists in the Linux kernel's io_uring subsystem where task work flags can be manipulated on stale ring memory during concurrent ring resize operations when DEFER_TASKRUN or SETUP_TASKRUN modes are enabled. This vulnerability affects Linux kernel versions including 6.13, 6.18.19, 6.19.9, and 7.0-rc4, and could allow an attacker with local code execution capabilities to cause information disclosure or kernel memory corruption. The vulnerability has been patched across multiple stable kernel versions as evidenced by available git commits, though no active KEV status or EPSS score has been published.
The Micronaut Framework contains an infinite loop vulnerability in its form-urlencoded body binding mechanism that occurs when array indices are processed in descending order, allowing remote attackers to trigger denial of service through CPU exhaustion and out-of-memory conditions. Versions prior to 4.10.16 and 3.10.5 are affected, with the vulnerability exploitable by sending crafted indexed form parameters without authentication. No public exploit code has been confirmed, but the issue is straightforward to trigger and has been patched in the referenced versions.
Heap corruption in Google Chrome's ANGLE graphics library prior to version 146.0.7680.153 can be triggered remotely through a malicious HTML page, potentially enabling arbitrary code execution on affected systems. The vulnerability stems from an integer overflow condition that requires only user interaction with a crafted webpage, affecting Chrome users across Windows, macOS, and Linux platforms. A patch is available and security professionals should prioritize updating to the latest Chrome version to mitigate this high-severity risk.
Heap buffer overflow in Google Chrome's WebRTC component (versions prior to 146.0.7680.153) enables remote code execution when users visit a malicious webpage, requiring only user interaction to trigger the vulnerability. An attacker can exploit this heap corruption to execute arbitrary code with the privileges of the affected browser process. A patch is available for Chrome and affected Linux distributions including Ubuntu and Debian.
An out of bounds read vulnerability exists in the Blink rendering engine of Google Chrome prior to version 146.0.7680.153, allowing remote attackers to read memory outside intended buffer boundaries via a specially crafted HTML page. This vulnerability (CWE-125) has been classified as High severity by the Chromium security team and enables information disclosure attacks without requiring user interaction beyond visiting a malicious webpage. A vendor patch is available, and the vulnerability affects 9 Debian releases, indicating widespread downstream impact across Linux distributions.
Heap corruption in Google Chrome's V8 engine prior to version 146.0.7680.153 enables remote code execution when users visit malicious websites, affecting Chrome, Ubuntu, and Debian systems. An unauthenticated attacker can craft a specially designed HTML page to trigger memory corruption and achieve complete system compromise without user interaction beyond visiting the page. A patch is available for immediate deployment.
Memory disclosure in Google Chrome's Skia rendering engine prior to version 146.0.7680.153 enables unauthenticated attackers to read out-of-bounds memory contents by tricking users into visiting malicious web pages. Affected users across Chrome, Ubuntu, and Debian distributions face potential information leakage including sensitive data from process memory. A patch is available for immediate deployment.
Heap corruption in Google Chrome's WebAudio component (versions prior to 146.0.7680.153) can be triggered through out-of-bounds memory access when processing malicious HTML pages, enabling remote attackers to achieve arbitrary code execution without user interaction beyond viewing the page. The vulnerability affects Chrome, Ubuntu, and Debian systems, with patches now available across all platforms.
Heap memory corruption in Google Chrome prior to version 146.0.7680.153 can be triggered through malicious browser extensions, affecting Chrome users on Google, Ubuntu, and Debian systems. An attacker must convince a user to install a compromised extension to exploit this use-after-free vulnerability and potentially achieve code execution. A patch is available.
Heap memory corruption in Google Chrome's V8 engine (versions prior to 146.0.7680.153) stems from type confusion vulnerabilities that can be triggered through malicious HTML pages without user privileges. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution or crash the browser. The vulnerability affects Chrome, Ubuntu, and Debian systems, with patches now available.
A use-after-free vulnerability in Google Chrome's Digital Credentials API prior to version 146.0.7680.153 enables attackers with a compromised renderer process to escape the sandbox and potentially achieve code execution through a specially crafted HTML page. The vulnerability affects Chrome on multiple platforms including Ubuntu and Debian systems, requiring user interaction to trigger but presenting high impact across confidentiality, integrity, and availability. A patch is available in Chrome 146.0.7680.153 and later versions.
Heap buffer overflow in PDFium within Google Chrome versions prior to 146.0.7680.153 enables remote attackers to corrupt heap memory and potentially achieve code execution by delivering a malicious PDF file. The vulnerability requires user interaction to open the crafted PDF but no authentication or special privileges. Patches are available for affected Google Chrome, Ubuntu, and Debian systems.
Heap memory corruption in Google Chrome versions prior to 146.0.7680.153 can be triggered through a use-after-free vulnerability in the Network component when a user visits a malicious HTML page. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with high integrity and confidentiality impact. A patch is available for Chrome, Ubuntu, and Debian users.
Cross-origin data leakage in Google Chrome's Dawn component on macOS versions prior to 146.0.7680.153 results from an integer overflow vulnerability that can be triggered through a malicious HTML page. An unauthenticated attacker can exploit this to access sensitive information from other origins without user interaction beyond viewing the crafted page. Patches are available for Chrome, Ubuntu, and Debian.
Heap corruption in Google Chrome's ANGLE graphics library on Windows versions prior to 146.0.7680.153 can be triggered through integer overflow when processing maliciously crafted HTML pages. An unauthenticated remote attacker can exploit this vulnerability by deceiving users into visiting a malicious website, potentially achieving arbitrary code execution. A patch is available across affected platforms including Google Chrome, Microsoft Edge, and various Linux distributions.
A renderer process sandbox escape vulnerability exists in Google Chrome prior to version 146.0.7680.153 due to insufficient input validation in the Navigation component. An attacker who has already compromised the renderer process can exploit this via a crafted HTML page to escape the sandbox and gain elevated privileges on the host system. A patch is available from Google, and the vulnerability is tracked in the EUVD database with High severity classification.
Heap corruption in Google Chrome's V8 engine prior to version 146.0.7680.153 can be triggered through out-of-bounds memory writes when a user visits a malicious webpage. An unauthenticated remote attacker can exploit this vulnerability to achieve arbitrary code execution with high integrity and confidentiality impact. A security patch is available for affected users on Chrome, Ubuntu, and Debian systems.
Heap memory corruption in Google Chrome's Blink rendering engine prior to version 146.0.7680.153 can be triggered through a malicious HTML page, potentially enabling remote code execution. An unauthenticated attacker requires only user interaction to exploit this use-after-free vulnerability across network boundaries. A patch is available for affected Chrome, Ubuntu, and Debian users.
Heap buffer overflow in Google Chrome's ANGLE graphics library (versions prior to 146.0.7680.153) enables remote attackers to corrupt heap memory and potentially achieve arbitrary code execution through malicious HTML pages requiring only user interaction. The vulnerability affects Chrome on multiple platforms including Ubuntu and Debian systems. A patch is available and should be applied immediately given the high severity and attack accessibility.
Heap corruption via use-after-free in Google Chrome's WebRTC implementation (versions prior to 146.0.7680.153) enables remote attackers to achieve arbitrary code execution through malicious HTML pages, requiring only user interaction. The vulnerability affects Chrome, Ubuntu, and Debian systems with a CVSS score of 8.8, though a patch is available.
Stack buffer overflow in Google Chrome's WebRTC implementation prior to version 146.0.7680.153 enables remote attackers to corrupt stack memory and achieve code execution through maliciously crafted HTML pages. The vulnerability affects Chrome, and potentially downstream products including Chromium-based browsers, requiring only user interaction and no authentication. A patch is available across affected platforms including Ubuntu and Debian.
Sandboxed arbitrary code execution in Google Chrome's WebAudio component (versions prior to 146.0.7680.153) can be triggered remotely through malicious HTML, requiring only user interaction. An attacker can craft a weaponized webpage to break out of the Chrome sandbox and execute arbitrary code on affected systems. This high-severity vulnerability impacts Chrome, Ubuntu, and Debian users, with patches now available.
Google Chrome versions prior to 146.0.7680.153 contain a heap buffer overflow in CSS parsing that enables remote code execution when users visit malicious HTML pages. An unauthenticated attacker can trigger heap memory corruption through a crafted webpage, potentially achieving arbitrary code execution with user privileges. A patch is available and should be applied immediately to all affected systems.
Heap corruption in Google Chrome versions before 146.0.7680.153 results from a use-after-free vulnerability in the Base component, enabling remote attackers to execute arbitrary code through malicious HTML pages. The attack requires user interaction but no authentication, affecting Chrome on multiple platforms including Linux distributions. A patch is available to remediate this critical-severity vulnerability.
This is a critical out-of-bounds read and write vulnerability in the WebGL implementation of Google Chrome prior to version 146.0.7680.153. The vulnerability allows a remote attacker to perform arbitrary memory read and write operations by crafting a malicious HTML page, potentially leading to information disclosure, code execution, or complete system compromise. The vulnerability affects multiple Debian releases and has been assigned ENISA EUVD ID EUVD-2026-13447; a vendor patch is available.
Out-of-bounds memory corruption in Google Chrome's WebGL implementation on Android prior to version 146.0.7680.153 enables remote attackers to escape the browser sandbox by delivering a malicious HTML page, requiring only user interaction. This critical vulnerability affects Chrome users on Android devices and could lead to complete system compromise if successfully exploited. A patch is available in Chrome 146.0.7680.153 and later versions.
A logic error in AWS-LC's CRL (Certificate Revocation List) distribution point validation causes the cryptographic library to incorrectly reject partitioned CRLs as out of scope, allowing revoked certificates to bypass certificate revocation checks. This authentication bypass vulnerability affects AWS-LC versions before 1.71.0 and AWS-LC-FIPS versions before 3.3.0, potentially allowing attackers to use revoked certificates for unauthorized access to systems that rely on AWS-LC for certificate validation. No active exploitation has been reported in KEV, and no EPSS score is available yet.
The fast-xml-parser library contains a logic error in DocTypeReader.js where JavaScript's falsy evaluation of the number 0 causes entity size and count limits to be completely bypassed when explicitly configured to 0. An attacker who can supply crafted XML input to an application using fast-xml-parser with these limits set to 0 can trigger unbounded entity expansion, exhausting server memory and causing denial of service. A proof-of-concept exists demonstrating the vulnerability, and the CVSS score of 5.9 reflects medium severity with high attack complexity, though the real-world impact is significant for applications that explicitly configure these restrictive limits.
JRuby's BCrypt implementation suffers from a signed integer overflow when the cost parameter is set to 31, causing the key-strengthening loop to execute zero iterations and reducing password hashing to a negligible computational cost. Applications using bcrypt-ruby with cost=31 generate seemingly valid hashes that verify correctly but provide virtually no protection against brute-force attacks. No patch is currently available for this vulnerability.
A Denial of Service vulnerability exists in Kibana's Timelion visualization plugin that allows authenticated users to trigger excessive memory allocation through improper validation of specially crafted Timelion expressions. An attacker with valid Kibana credentials can overwrite internal series data properties with excessively large quantity values, causing the application to exhaust system resources and become unavailable. This is a network-accessible vulnerability requiring low privileges with a CVSS score of 6.5 and documented as a confirmed denial-of-service attack vector affecting multiple active Kibana versions.
Kibana's Detection Rule Management lacks proper authorization controls, allowing authenticated users with rule management privileges to configure unauthorized endpoint response actions including host isolation and process termination. An attacker with these privileges could exploit this missing access control to execute sensitive endpoint operations beyond their intended scope. No patch is currently available for this medium-severity vulnerability affecting Elastic products.
The Go SDK's Streamable HTTP transport fails to validate the Origin header and Content-Type on POST requests, allowing attackers to send cross-site requests that bypass CORS protections and trigger MCP tool execution on vulnerable servers without authorization. This affects deployments using stateless or sessionless configurations where an attacker can host a malicious website to send arbitrary MCP requests to a victim's local server. A patch is available that implements Content-Type validation and configurable origin verification.
A reflected cross-site scripting (XSS) vulnerability exists in NLTK's WordNet Browser application (nltk.app.wordnet_app) in the lookup_... route, where attacker-controlled word parameters are reflected into HTML responses without proper escaping. This vulnerability affects users running the local WordNet Browser server and allows attackers to inject and execute arbitrary JavaScript in the browser context of the affected application. A proof-of-concept exploit has been publicly demonstrated, and a vendor patch is available.
The SimpleJWT PHP library version 1.1.0 contains an algorithmic complexity denial-of-service vulnerability in its PBES2 password-based encryption implementation. An unauthenticated attacker can send a crafted JWE token with an extremely large p2c (PBKDF2 iteration count) parameter in the header, forcing the server to perform hundreds of billions of iterations during key derivation and causing CPU exhaustion. A working proof-of-concept exploit is publicly available demonstrating how a single malicious request can block PHP workers until execution timeouts are reached.
Memory exhaustion in Python's pickle deserialization allows attackers to crash applications by supplying a small malicious payload that forces allocation of gigabytes of memory through unrestricted constructor arguments in whitelisted classes. Applications using `_RestrictedUnpickler` to load untrusted pickle data are vulnerable to denial of service attacks. A patch is available.
Dynaconf, a Python configuration management library, contains a Server-Side Template Injection (SSTI) vulnerability in its @jinja resolver that allows arbitrary command execution when attackers can control configuration sources such as environment variables, .env files, or CI/CD secrets. The vulnerability affects pip package dynaconf and includes a public proof-of-concept demonstrating command execution via Jinja2 template evaluation without sandboxing. The @format resolver additionally enables object graph traversal to expose sensitive runtime data including API keys and credentials.
HTSlib contains an out-of-bounds read vulnerability in the cram_decode_slice() function that fails to validate the reference ID field early enough during CRAM file parsing, allowing two separate out-of-bounds reads before error detection. The vulnerability affects HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1, and can result in information disclosure through leaked memory values or application crashes when processing malicious or corrupted CRAM bioinformatics files. While the function reports an error after the reads occur, the window for exploitation exists and the practical impact depends on memory layout and application context.
HTSlib, a bioinformatics library for reading and writing sequence alignment formats, contains a null pointer dereference vulnerability in its CRAM format decoder affecting versions before 1.23.1, 1.22.2, and 1.21.1. The vulnerability exists in the CONST, XPACK, and XRLE encodings which fail to properly handle CRAM records with omitted sequence or quality data, causing attempts to write to NULL pointers when these records are decoded. An attacker can exploit this by providing a malformed CRAM file to any application using vulnerable HTSlib versions, resulting in denial of service through application crash, with no known active exploitation or public proof-of-concept at this time.
HTSlib contains a heap buffer overflow vulnerability in its CRAM decoder caused by an out-by-one error when validating feature boundaries. When a user opens a maliciously crafted CRAM file, an attacker can write one controlled byte beyond the end of a heap buffer, potentially causing application crashes, data corruption, or arbitrary code execution. Versions 1.23.1, 1.22.2, and 1.21.1 include fixes, and patches are available via the official GitHub repository.
HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the cram_decode_seq() function when processing CRAM-formatted bioinformatics files with omitted sequence and quality data. An attacker can craft a malicious CRAM file that triggers an out-of-bounds read followed by an attacker-controlled single-byte write to heap memory, potentially enabling arbitrary code execution, data corruption, or denial of service when a user opens the file. No public exploit proof-of-concept has been identified, but the vulnerability is confirmed and patched by the HTSlib project.
Use-after-free in Linux kernel traffic control (net/sched) occurs when act_ct action returns TC_ACT_CONSUMED while a packet is held by the defragmentation engine, allowing local authenticated attackers with low privileges to achieve code execution, denial of service, or information disclosure. Affects Linux kernel 6.8 through 6.12.x and 6.18.x series. Vendor patches available across multiple stable branches (commits 524ce8b4, 380ad8b7, 9deda0fc, 11cb63b0). EPSS score of 0.02% (4th percentile) indicates very low observed exploitation likelihood despite 7.8 CVSS rating. No active exploitation confirmed; not listed in CISA KEV.
This vulnerability is a race condition in the Linux kernel's F2FS file system that causes flag inconsistency between concurrent atomic commit and checkpoint write operations. The issue affects all Linux kernel versions with F2FS support (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), allowing information disclosure through incorrect inode state recovery after sudden power-off (SPO) scenarios. An attacker with local file system access during atomic write operations could trigger the race condition, leading to potential data inconsistency and information leakage when the system recovers.
A divide-by-zero vulnerability exists in the Linux kernel's rivafb framebuffer driver in the nv3_arb() function, which can be triggered by unprivileged userspace applications via the FBIOPUT_VSCREENINFO ioctl call on /dev/fb* devices. An attacker can crash the kernel by crafting a malicious or misconfigured PCI device that exposes a bogus PRAMDAC MCLK PLL configuration, causing the state->mclk_khz divisor to become zero. This is a Denial of Service vulnerability affecting the Linux kernel across multiple stable versions, with patches available in the kernel git repository.
A vulnerability in the Linux kernel's f2fs (Flash-Friendly File System) implementation fails to validate node footer integrity during asynchronous read and write I/O operations, allowing corrupted node page data to trigger a kernel BUG and cause denial of service. This affects all Linux kernel versions using f2fs, particularly those processing untrusted or fuzzed filesystem images. An attacker with the ability to craft a malicious f2fs filesystem image can trigger a kernel panic when the corrupted node page is written back, resulting in system unavailability.
A logic error in the Linux kernel's AMD GPU driver causes system crashes when two AMD GPUs are present and only one supports ASPM (Active State Power Management). The vulnerability stems from a commit that was erroneously reapplied after being removed in a prior refactoring, leading to incorrect ASPM state evaluation across multiple devices. Systems running affected Linux kernel versions with heterogeneous AMD GPU configurations (mixed ASPM support) will experience denial of service through kernel crashes.
A memory leak vulnerability exists in the Linux kernel's regmap maple tree caching implementation where allocated memory is not freed when the mas_store_gfp() function fails during a write operation. This affects all Linux kernel versions containing the vulnerable regcache_maple_write() function, potentially allowing local attackers to exhaust kernel memory through repeated cache write failures. While no CVSS score or EPSS data is currently available, the vulnerability has been assigned CVE-2026-23260 and multiple stable kernel patches are available, indicating this is a recognized and actively addressed issue.
A memory management vulnerability exists in the Linux kernel's io_uring subsystem where allocated iovec buffers may fail to be properly freed when a read/write request cannot be recycled back to the rw_cache. This affects all Linux kernel versions with the vulnerable io_uring/rw code path, potentially allowing local attackers to trigger memory leaks that degrade system performance or enable denial of service conditions. The vulnerability has been patched in the Linux kernel stable trees as evidenced by the provided commit references.
A memory leak vulnerability exists in the Linux kernel's Liquidio network driver within the setup_nic_devices() function where the netdev pointer is not initialized in the oct->props[i].netdev structure before calling queue setup functions. If netif_set_real_num_rx_queues() or netif_set_real_num_tx_queues() fail, the allocated netdev memory is not freed because the cleanup function liquidio_destroy_nic_device() cannot locate it via the NULL pointer. This affects all Linux kernel versions with the Liquidio driver and allows for memory exhaustion through repeated device initialization failures.
A memory leak vulnerability exists in the Linux kernel's liquidio network driver within the setup_nic_devices() function, where an off-by-one error in the cleanup loop causes failure to deallocate the last successfully allocated device during error handling. The vulnerability affects Linux kernel versions across multiple stable branches (as evidenced by patches in 4.9, 4.14, 4.19, 5.4, 5.10, 5.15, and 5.16 stable trees per the kernel.org references). While this is a local denial-of-service vector through memory exhaustion rather than a direct code execution path, it could be leveraged by unprivileged users to degrade system stability over time.
This vulnerability is an off-by-one error in the Linux kernel's liquidio driver that causes a memory leak during virtual function (VF) setup failure cleanup. The vulnerability affects the Linux kernel across all versions where the liquidio net driver is compiled, as identified through the affected CPE (cpe:2.3:a:linux:linux). While this is a memory leak rather than a direct code execution vulnerability, it can be exploited to exhaust kernel memory resources, leading to denial of service.
A vulnerability in the Linux kernel's Generic Receive Offload (GRO) implementation for UDP traffic causes incorrect network offset calculations when processing encapsulated packets. The flaw affects all Linux kernel versions where the GRO subsystem handles UDP encapsulation, as specified in the CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*. When hardware NICs, the tun driver, or veth setups inject packets with the encapsulation flag set, the udp4_gro_complete() function incorrectly computes the outer UDP header pseudo checksum using the inner network offset, leading to checksum validation failures that can disrupt packet processing and potentially cause denial of service or packet drops. No active exploitation has been reported in the wild, and no public proof-of-concept code is known to exist, though the vulnerability is triggered through normal network operations involving UDP-encapsulated traffic.
This vulnerability is a missing exception fixup handler in the LoongArch architecture's BPF JIT compiler that fails to properly recover from memory access exceptions (ADEM) triggered by BPF_PROBE_MEM* instructions. The Linux kernel on LoongArch systems (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) is affected, potentially allowing information disclosure or denial of service when BPF programs attempt to safely probe memory locations. This is not actively exploited (no KEV status), but patches are available across multiple stable kernel branches.
A resource management vulnerability exists in the Linux kernel's Btrfs filesystem implementation where qgroup data reservations are incorrectly freed when an inline extent creation fails due to -ENOSPC (no space available). This causes the kernel to prematurely release qgroup quota accounting for data that will actually be used when the operation falls back to the normal copy-on-write path, potentially leading to qgroup quota inconsistencies and information disclosure about quota state. All Linux distributions using Btrfs with qgroup quota tracking enabled are affected. While no CVSS score or EPSS risk score has been assigned, the vulnerability has stable patches available in the Linux kernel repository.
A resource leak vulnerability exists in the Linux kernel's btrfs filesystem implementation where reserved qgroup data fails to be freed in error paths during inline extent insertion operations. This affects all Linux versions with vulnerable btrfs code, and allows local attackers with filesystem write access to exhaust kernel memory resources through repeated failed inline extent insertions, potentially causing denial of service. No active exploitation in the wild has been reported, but kernel memory exhaustion vulnerabilities are routinely targeted by local privilege escalation chains.
A specially crafted Socket.IO packet can cause the server to allocate unbounded memory by waiting for and buffering a large number of binary attachments, leading to denial of service through memory exhaustion. The vulnerability affects socket.io-parser versions across multiple major releases (v2.x, v3.x, and v4.x) used by Socket.IO server and client implementations. No EPSS score or KEV listing is available, but patches have been released by the vendor.
Zitadel's OAuth2/OIDC implementation contains an authentication bypass vulnerability (CWE-863: Improper Authorization) that allows unauthenticated attackers to circumvent organization enforcement controls during login. Affected versions 3.0.0-3.4.8 and 4.0.0-4.12.2 fail to validate organization membership scopes in device authorization flows and all Login V2/OIDC API V2 endpoints, enabling attackers to authenticate with users from unauthorized organizations. While the CVSS score of 5.3 indicates low-to-moderate severity with confidentiality impact only, the attack requires no privileges or user interaction and operates over the network, making it a practical concern for multi-tenant deployments.
A memory allocation failure vulnerability exists in the Linux kernel's XFS filesystem checking code where the xchk_xfile_*_descr macros call kasprintf with formatted strings that can exceed safe allocation limits, leading to potential denial of service or information disclosure. This affects Linux kernel versions 6.6 through 6.14 and later releases including 6.18.16, 6.19.6, and 7.0-rc1, with the vulnerability discoverable through syzbot fuzzing by researcher Jiaming Zhang. While no active exploitation has been confirmed, the issue represents a path to failure in a core filesystem validation component that could be triggered by malicious or malformed filesystem structures.
This vulnerability in the Linux kernel's XFS filesystem code involves improper pointer validation in xfarray and xfblob destructor functions, where the destructors can be called with invalid (dangling) pointers if the pointer is not properly nulled after deallocation. The vulnerability affects Linux kernel versions 6.9 through 6.10 and later patch versions, potentially allowing information disclosure or system instability. While no CVSS score or exploitation data is publicly available, the fix was backported across multiple kernel versions (6.12.75, 6.18.16, 6.19.6, 7.0-rc1) indicating recognition of the issue's significance across the kernel maintenance community.
A null pointer dereference vulnerability exists in the XFS filesystem checker (xchk_scrub_create_subord) in the Linux kernel, where the function returns a mangled ENOMEM error instead of NULL, and callers fail to properly validate the return value. This affects Linux kernel versions 6.2 through 6.10 and later stable branches, potentially allowing a local attacker with filesystem access to trigger a denial of service condition through unhandled memory allocation failures during XFS filesystem integrity checks.
A null pointer dereference vulnerability exists in the Linux kernel's XFS filesystem repair code when revalidating B-tree structures during fsck operations. The vulnerability affects Linux kernel versions across multiple release branches (6.8, 6.12.75, 6.18.16, 6.19.6, and 7.0-rc1) when the xfs_scrub utility attempts to repair both the free space B-tree (bnobt) and count B-tree (cntbt) simultaneously. An authenticated attacker with fsck/scrub privileges can trigger a kernel crash (denial of service) by injecting corruption markers via XFS_IOC_ERROR_INJECTION ioctl, causing the kernel to crash when the second B-tree revalidation is attempted after the first one fails and nullifies a required cursor.
A Denial of Service vulnerability exists in pypdf (Python PDF library) where an attacker can craft a malicious PDF file that causes excessive runtime and memory consumption by exploiting improper handling of array-based streams with large numbers of entries. All versions of pypdf prior to 6.9.1 are affected. An attacker can remotely trigger resource exhaustion on any system processing untrusted PDF files with this library, potentially causing application crashes or service unavailability.
Jenkins versions 2.442 through 2.554 and LTS 2.426.3 through 2.541.2 contain an origin validation bypass vulnerability in the CLI WebSocket endpoint that allows attackers to conduct DNS rebinding attacks. The vulnerability stems from improper use of Host and X-Forwarded-Host headers to compute expected request origins, enabling attackers to bypass authentication controls and potentially execute arbitrary commands through the CLI WebSocket interface. While no CVSS score, EPSS data, or active exploitation in the wild (KEV) status has been publicly disclosed, the vulnerability affects a critical Jenkins component and was responsibly disclosed by the Jenkins security team.
A stack out-of-bounds write vulnerability exists in the Linux kernel's mac80211 WiFi subsystem in the ieee80211_ml_reconfiguration function, where the link_id parameter extracted from the ML Reconfiguration element is not properly bounds-checked before being used as an array index. The vulnerability affects Linux kernel versions across multiple release branches (6.5 through 7.0-rc2), allowing an attacker with network proximity to craft a malicious WiFi frame to trigger a buffer overflow and potentially cause denial of service or code execution. While no CVSS score or EPSS data is currently published, the vulnerability has been assigned EUVD-2026-12809 and patches are available across stable kernel branches.
A memory allocation vulnerability exists in the Linux kernel's NVMe Persistent Reservation implementation where the nvme_pr_read_keys() function fails to properly handle large num_keys values passed from userspace, resulting in excessive memory allocation attempts up to 4MB that trigger page allocator warnings and potential denial of service. This affects Linux kernel versions across multiple stable branches (6.5, 6.12.77, 6.18.17, 6.19.7, and 7.0-rc3) and requires local access with ioctl privileges to trigger. The vulnerability is addressed through replacement of kzalloc() with kvzalloc() to support larger allocations via vmalloc fallback, and patches are available across multiple kernel stable branches.
A denial of service vulnerability in A cross-origin (CVSS 5.4). Remediation should follow standard vulnerability management procedures.
A denial of service vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
A bypass vulnerability in fast-xml-parser allows attackers to circumvent entity expansion limits through numeric character references (&#NNN;) and standard XML entities, causing denial of service via excessive memory allocation and CPU consumption. The vulnerability affects fast-xml-parser versions 5.x through 5.5.5, completely bypassing security controls added in the previous CVE-2026-26278 fix. A proof-of-concept demonstrates that even with strict limits configured (maxTotalExpansions=10), an attacker can inject 100,000+ numeric entities to consume hundreds of megabytes of memory.
Unbounded heap memory consumption in Micronaut HTTP Server versions 4.7.0 through 4.10.7 allows remote attackers to trigger denial of service via crafted exception messages that pollute an uncapped cache. By manipulating request parameters reflected in error responses, an unauthenticated attacker can exhaust server memory and cause OutOfMemoryError conditions. A patch is available in version 4.10.7 and later.
A security vulnerability in A vulnerability exists in the Community Tier of Harden-Runner that (CVSS 4.9). Remediation should follow standard vulnerability management procedures.
Devise's Confirmable module with the reconfirmable option enabled contains a race condition that allows attackers to confirm email addresses they don't control by sending concurrent email change requests. By exploiting the desynchronization between the confirmation token and unconfirmed email fields, an attacker can redirect a victim's email confirmation to their own account. This affects all Devise applications using the default Confirmable configuration with email changes, and is patched in Devise v5.0.3.
The NewXMLTree method in affected products is vulnerable to a denial of service condition where an out-of-bounds write of a single zero byte can trigger an application crash. An unauthenticated remote attacker can exploit this memory corruption vulnerability without user interaction to cause service disruption. No patch is currently available for this issue.
CVE-2026-29057 is a security vulnerability (CVSS 6.5) that allows request smuggling. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Next.js image optimization caches unbounded disk space by default, enabling attackers to exhaust storage and cause denial of service by requesting numerous image variants. The vulnerability affects applications using the default `/_next/image` optimization feature without explicit cache size limits. A patch is available that introduces configurable cache size limits with LRU eviction.
Unbounded request body buffering in Next.js App Router with Partial Prerendering enabled allows remote attackers to trigger denial of service through oversized `next-resume` POST requests that bypass size enforcement in non-minimal deployments. An attacker can exhaust server memory by sending specially crafted resume payloads without authentication or user interaction. The vulnerability affects applications with experimental PPR features enabled and has been patched with consistent size limit enforcement.
Server Action CSRF validation in Next.js incorrectly treats null origins from sandboxed contexts as missing origins, allowing attackers to bypass verification and trick victim browsers into executing state-changing actions with their credentials. This affects applications relying on origin checks for CSRF protection without additional safeguards. A patch is available that enforces strict origin validation unless null is explicitly allowlisted.
CVE-2026-27977 is a security vulnerability (CVSS 5.4). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
SQL injection in the Katello plugin for Red Hat Satellite 6 allows authenticated remote attackers to execute arbitrary SQL commands via the sort_by parameter in the /api/hosts/bootc_images endpoint. An attacker can exploit this flaw to trigger database errors causing denial of service or conduct blind SQL injection attacks to extract sensitive information from the database. No patch is currently available for this vulnerability.
In the Linux kernel, the following vulnerability has been resolved: audit: add missing syscalls to read class The "at" variant of getxattr() and listxattr() are missing from the audit read class.
In the Linux kernel, the following vulnerability has been resolved: audit: add fchmodat2() to change attributes class fchmodat2(), introduced in version 6.6 is currently not in the change attribute class of audit.
Authlib's implementation of the JWE RSA1_5 key management algorithm contains a padding oracle vulnerability that leaks decryption failures through timing and exception patterns, allowing attackers to decrypt sensitive data without the private key. The library disabled the constant-time protections provided by the underlying cryptography library and raises exceptions before tag validation completes, creating a reliable side-channel. Public exploit code exists for this vulnerability affecting Authlib users in Python and related Oracle products.
CVE-2026-27448 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60dec.c).
This issue affects Apache Spark: before 3.5.7 and 4.0.1.
The file-type library's ZIP file type detection functions fail to limit decompression output for known-size inputs, allowing attackers to craft small compressed ZIP files that expand to hundreds of megabytes in memory during processing. Applications processing untrusted file uploads are vulnerable to denial-of-service attacks that cause excessive memory consumption and potential crashes. Public exploit code exists for this vulnerability, though a patch is available.
Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript.
This is an authentication and authorization bypass vulnerability in etcd's gRPC API layer that allows unauthorized users to execute privileged operations when etcd auth is enabled. Affected are etcd versions prior to 3.4.42, 3.5.28, and 3.6.9 (specifically the Go packages go.etcd.io/etcd/v3 and go.etcd.io/etcd). Attackers can enumerate cluster topology via MemberList, trigger denial of service through Alarm APIs, manipulate Lease operations affecting TTL-based keys, and force compaction to permanently delete historical data. Standard Kubernetes deployments are not affected as they do not rely on etcd's built-in authentication. No EPSS score or KEV listing is currently available, and the vulnerability was responsibly disclosed by multiple security researchers.
An authenticated user with restricted RBAC permissions on specific key ranges in etcd can use nested transactions to completely bypass key-level authorization controls and access the entire etcd data store. This affects etcd versions 3.4.x before 3.4.42, 3.5.x before 3.5.28, and 3.6.x before 3.6.9. While Kubernetes deployments are typically protected because Kubernetes handles authentication and authorization at the API server layer rather than relying on etcd's built-in controls, direct etcd deployments with RBAC restrictions are at significant risk.
libfuse versions 3.18.0 through 3.18.1 contain a NULL pointer dereference and memory leak vulnerability in the fuse_uring_init_queue function that affects only the io_uring transport implementation. A local user with low privileges can trigger this vulnerability to crash the FUSE daemon or exhaust system resources through repeated exploitation. A proof-of-concept has been confirmed with AddressSanitizer and LeakSanitizer, demonstrating both the NULL dereference condition and memory leak when numa_alloc_local or fuse_uring_register_queue fail.
Authenticated users can trigger a heap overflow in MariaDB 11.4 (before 11.4.10) and 11.8 (before 11.8.6) through the JSON_SCHEMA_VALID() function, causing denial of service and potentially remote code execution under specific memory layout conditions. The vulnerability requires valid database credentials and affects server availability and integrity across scope boundaries. No patch is currently available for vulnerable versions.
The tar-rs library versions 0.4.44 and below contain a symlink-following vulnerability in the unpack_dir function that allows attackers to modify permissions on arbitrary directories outside the extraction root. An attacker can craft a malicious tarball containing a symlink entry followed by a directory entry with the same name; when unpacked, the library follows the symlink and applies chmod to the target directory rather than validating it resides within the extraction root. This vulnerability has a CVSS score of 5.1 with network accessibility and low attack complexity, making it exploitable by remote attackers without privileges or special user interaction beyond accepting a crafted archive.
A race condition exists in the Linux kernel's io_uring subsystem where task work flags can be manipulated on stale ring memory during concurrent ring resize operations when DEFER_TASKRUN or SETUP_TASKRUN modes are enabled. This vulnerability affects Linux kernel versions including 6.13, 6.18.19, 6.19.9, and 7.0-rc4, and could allow an attacker with local code execution capabilities to cause information disclosure or kernel memory corruption. The vulnerability has been patched across multiple stable kernel versions as evidenced by available git commits, though no active KEV status or EPSS score has been published.
The Micronaut Framework contains an infinite loop vulnerability in its form-urlencoded body binding mechanism that occurs when array indices are processed in descending order, allowing remote attackers to trigger denial of service through CPU exhaustion and out-of-memory conditions. Versions prior to 4.10.16 and 3.10.5 are affected, with the vulnerability exploitable by sending crafted indexed form parameters without authentication. No public exploit code has been confirmed, but the issue is straightforward to trigger and has been patched in the referenced versions.
Heap corruption in Google Chrome's ANGLE graphics library prior to version 146.0.7680.153 can be triggered remotely through a malicious HTML page, potentially enabling arbitrary code execution on affected systems. The vulnerability stems from an integer overflow condition that requires only user interaction with a crafted webpage, affecting Chrome users across Windows, macOS, and Linux platforms. A patch is available and security professionals should prioritize updating to the latest Chrome version to mitigate this high-severity risk.
Heap buffer overflow in Google Chrome's WebRTC component (versions prior to 146.0.7680.153) enables remote code execution when users visit a malicious webpage, requiring only user interaction to trigger the vulnerability. An attacker can exploit this heap corruption to execute arbitrary code with the privileges of the affected browser process. A patch is available for Chrome and affected Linux distributions including Ubuntu and Debian.
An out of bounds read vulnerability exists in the Blink rendering engine of Google Chrome prior to version 146.0.7680.153, allowing remote attackers to read memory outside intended buffer boundaries via a specially crafted HTML page. This vulnerability (CWE-125) has been classified as High severity by the Chromium security team and enables information disclosure attacks without requiring user interaction beyond visiting a malicious webpage. A vendor patch is available, and the vulnerability affects 9 Debian releases, indicating widespread downstream impact across Linux distributions.
Heap corruption in Google Chrome's V8 engine prior to version 146.0.7680.153 enables remote code execution when users visit malicious websites, affecting Chrome, Ubuntu, and Debian systems. An unauthenticated attacker can craft a specially designed HTML page to trigger memory corruption and achieve complete system compromise without user interaction beyond visiting the page. A patch is available for immediate deployment.
Memory disclosure in Google Chrome's Skia rendering engine prior to version 146.0.7680.153 enables unauthenticated attackers to read out-of-bounds memory contents by tricking users into visiting malicious web pages. Affected users across Chrome, Ubuntu, and Debian distributions face potential information leakage including sensitive data from process memory. A patch is available for immediate deployment.
Heap corruption in Google Chrome's WebAudio component (versions prior to 146.0.7680.153) can be triggered through out-of-bounds memory access when processing malicious HTML pages, enabling remote attackers to achieve arbitrary code execution without user interaction beyond viewing the page. The vulnerability affects Chrome, Ubuntu, and Debian systems, with patches now available across all platforms.
Heap memory corruption in Google Chrome prior to version 146.0.7680.153 can be triggered through malicious browser extensions, affecting Chrome users on Google, Ubuntu, and Debian systems. An attacker must convince a user to install a compromised extension to exploit this use-after-free vulnerability and potentially achieve code execution. A patch is available.
Heap memory corruption in Google Chrome's V8 engine (versions prior to 146.0.7680.153) stems from type confusion vulnerabilities that can be triggered through malicious HTML pages without user privileges. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution or crash the browser. The vulnerability affects Chrome, Ubuntu, and Debian systems, with patches now available.
A use-after-free vulnerability in Google Chrome's Digital Credentials API prior to version 146.0.7680.153 enables attackers with a compromised renderer process to escape the sandbox and potentially achieve code execution through a specially crafted HTML page. The vulnerability affects Chrome on multiple platforms including Ubuntu and Debian systems, requiring user interaction to trigger but presenting high impact across confidentiality, integrity, and availability. A patch is available in Chrome 146.0.7680.153 and later versions.
Heap buffer overflow in PDFium within Google Chrome versions prior to 146.0.7680.153 enables remote attackers to corrupt heap memory and potentially achieve code execution by delivering a malicious PDF file. The vulnerability requires user interaction to open the crafted PDF but no authentication or special privileges. Patches are available for affected Google Chrome, Ubuntu, and Debian systems.
Heap memory corruption in Google Chrome versions prior to 146.0.7680.153 can be triggered through a use-after-free vulnerability in the Network component when a user visits a malicious HTML page. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with high integrity and confidentiality impact. A patch is available for Chrome, Ubuntu, and Debian users.
Cross-origin data leakage in Google Chrome's Dawn component on macOS versions prior to 146.0.7680.153 results from an integer overflow vulnerability that can be triggered through a malicious HTML page. An unauthenticated attacker can exploit this to access sensitive information from other origins without user interaction beyond viewing the crafted page. Patches are available for Chrome, Ubuntu, and Debian.
Heap corruption in Google Chrome's ANGLE graphics library on Windows versions prior to 146.0.7680.153 can be triggered through integer overflow when processing maliciously crafted HTML pages. An unauthenticated remote attacker can exploit this vulnerability by deceiving users into visiting a malicious website, potentially achieving arbitrary code execution. A patch is available across affected platforms including Google Chrome, Microsoft Edge, and various Linux distributions.
A renderer process sandbox escape vulnerability exists in Google Chrome prior to version 146.0.7680.153 due to insufficient input validation in the Navigation component. An attacker who has already compromised the renderer process can exploit this via a crafted HTML page to escape the sandbox and gain elevated privileges on the host system. A patch is available from Google, and the vulnerability is tracked in the EUVD database with High severity classification.
Heap corruption in Google Chrome's V8 engine prior to version 146.0.7680.153 can be triggered through out-of-bounds memory writes when a user visits a malicious webpage. An unauthenticated remote attacker can exploit this vulnerability to achieve arbitrary code execution with high integrity and confidentiality impact. A security patch is available for affected users on Chrome, Ubuntu, and Debian systems.
Heap memory corruption in Google Chrome's Blink rendering engine prior to version 146.0.7680.153 can be triggered through a malicious HTML page, potentially enabling remote code execution. An unauthenticated attacker requires only user interaction to exploit this use-after-free vulnerability across network boundaries. A patch is available for affected Chrome, Ubuntu, and Debian users.
Heap buffer overflow in Google Chrome's ANGLE graphics library (versions prior to 146.0.7680.153) enables remote attackers to corrupt heap memory and potentially achieve arbitrary code execution through malicious HTML pages requiring only user interaction. The vulnerability affects Chrome on multiple platforms including Ubuntu and Debian systems. A patch is available and should be applied immediately given the high severity and attack accessibility.
Heap corruption via use-after-free in Google Chrome's WebRTC implementation (versions prior to 146.0.7680.153) enables remote attackers to achieve arbitrary code execution through malicious HTML pages, requiring only user interaction. The vulnerability affects Chrome, Ubuntu, and Debian systems with a CVSS score of 8.8, though a patch is available.
Stack buffer overflow in Google Chrome's WebRTC implementation prior to version 146.0.7680.153 enables remote attackers to corrupt stack memory and achieve code execution through maliciously crafted HTML pages. The vulnerability affects Chrome, and potentially downstream products including Chromium-based browsers, requiring only user interaction and no authentication. A patch is available across affected platforms including Ubuntu and Debian.
Sandboxed arbitrary code execution in Google Chrome's WebAudio component (versions prior to 146.0.7680.153) can be triggered remotely through malicious HTML, requiring only user interaction. An attacker can craft a weaponized webpage to break out of the Chrome sandbox and execute arbitrary code on affected systems. This high-severity vulnerability impacts Chrome, Ubuntu, and Debian users, with patches now available.
Google Chrome versions prior to 146.0.7680.153 contain a heap buffer overflow in CSS parsing that enables remote code execution when users visit malicious HTML pages. An unauthenticated attacker can trigger heap memory corruption through a crafted webpage, potentially achieving arbitrary code execution with user privileges. A patch is available and should be applied immediately to all affected systems.
Heap corruption in Google Chrome versions before 146.0.7680.153 results from a use-after-free vulnerability in the Base component, enabling remote attackers to execute arbitrary code through malicious HTML pages. The attack requires user interaction but no authentication, affecting Chrome on multiple platforms including Linux distributions. A patch is available to remediate this critical-severity vulnerability.
This is a critical out-of-bounds read and write vulnerability in the WebGL implementation of Google Chrome prior to version 146.0.7680.153. The vulnerability allows a remote attacker to perform arbitrary memory read and write operations by crafting a malicious HTML page, potentially leading to information disclosure, code execution, or complete system compromise. The vulnerability affects multiple Debian releases and has been assigned ENISA EUVD ID EUVD-2026-13447; a vendor patch is available.
Out-of-bounds memory corruption in Google Chrome's WebGL implementation on Android prior to version 146.0.7680.153 enables remote attackers to escape the browser sandbox by delivering a malicious HTML page, requiring only user interaction. This critical vulnerability affects Chrome users on Android devices and could lead to complete system compromise if successfully exploited. A patch is available in Chrome 146.0.7680.153 and later versions.
A logic error in AWS-LC's CRL (Certificate Revocation List) distribution point validation causes the cryptographic library to incorrectly reject partitioned CRLs as out of scope, allowing revoked certificates to bypass certificate revocation checks. This authentication bypass vulnerability affects AWS-LC versions before 1.71.0 and AWS-LC-FIPS versions before 3.3.0, potentially allowing attackers to use revoked certificates for unauthorized access to systems that rely on AWS-LC for certificate validation. No active exploitation has been reported in KEV, and no EPSS score is available yet.
The fast-xml-parser library contains a logic error in DocTypeReader.js where JavaScript's falsy evaluation of the number 0 causes entity size and count limits to be completely bypassed when explicitly configured to 0. An attacker who can supply crafted XML input to an application using fast-xml-parser with these limits set to 0 can trigger unbounded entity expansion, exhausting server memory and causing denial of service. A proof-of-concept exists demonstrating the vulnerability, and the CVSS score of 5.9 reflects medium severity with high attack complexity, though the real-world impact is significant for applications that explicitly configure these restrictive limits.
JRuby's BCrypt implementation suffers from a signed integer overflow when the cost parameter is set to 31, causing the key-strengthening loop to execute zero iterations and reducing password hashing to a negligible computational cost. Applications using bcrypt-ruby with cost=31 generate seemingly valid hashes that verify correctly but provide virtually no protection against brute-force attacks. No patch is currently available for this vulnerability.
A Denial of Service vulnerability exists in Kibana's Timelion visualization plugin that allows authenticated users to trigger excessive memory allocation through improper validation of specially crafted Timelion expressions. An attacker with valid Kibana credentials can overwrite internal series data properties with excessively large quantity values, causing the application to exhaust system resources and become unavailable. This is a network-accessible vulnerability requiring low privileges with a CVSS score of 6.5 and documented as a confirmed denial-of-service attack vector affecting multiple active Kibana versions.
Kibana's Detection Rule Management lacks proper authorization controls, allowing authenticated users with rule management privileges to configure unauthorized endpoint response actions including host isolation and process termination. An attacker with these privileges could exploit this missing access control to execute sensitive endpoint operations beyond their intended scope. No patch is currently available for this medium-severity vulnerability affecting Elastic products.
The Go SDK's Streamable HTTP transport fails to validate the Origin header and Content-Type on POST requests, allowing attackers to send cross-site requests that bypass CORS protections and trigger MCP tool execution on vulnerable servers without authorization. This affects deployments using stateless or sessionless configurations where an attacker can host a malicious website to send arbitrary MCP requests to a victim's local server. A patch is available that implements Content-Type validation and configurable origin verification.
A reflected cross-site scripting (XSS) vulnerability exists in NLTK's WordNet Browser application (nltk.app.wordnet_app) in the lookup_... route, where attacker-controlled word parameters are reflected into HTML responses without proper escaping. This vulnerability affects users running the local WordNet Browser server and allows attackers to inject and execute arbitrary JavaScript in the browser context of the affected application. A proof-of-concept exploit has been publicly demonstrated, and a vendor patch is available.
The SimpleJWT PHP library version 1.1.0 contains an algorithmic complexity denial-of-service vulnerability in its PBES2 password-based encryption implementation. An unauthenticated attacker can send a crafted JWE token with an extremely large p2c (PBKDF2 iteration count) parameter in the header, forcing the server to perform hundreds of billions of iterations during key derivation and causing CPU exhaustion. A working proof-of-concept exploit is publicly available demonstrating how a single malicious request can block PHP workers until execution timeouts are reached.
Memory exhaustion in Python's pickle deserialization allows attackers to crash applications by supplying a small malicious payload that forces allocation of gigabytes of memory through unrestricted constructor arguments in whitelisted classes. Applications using `_RestrictedUnpickler` to load untrusted pickle data are vulnerable to denial of service attacks. A patch is available.
Dynaconf, a Python configuration management library, contains a Server-Side Template Injection (SSTI) vulnerability in its @jinja resolver that allows arbitrary command execution when attackers can control configuration sources such as environment variables, .env files, or CI/CD secrets. The vulnerability affects pip package dynaconf and includes a public proof-of-concept demonstrating command execution via Jinja2 template evaluation without sandboxing. The @format resolver additionally enables object graph traversal to expose sensitive runtime data including API keys and credentials.
HTSlib contains an out-of-bounds read vulnerability in the cram_decode_slice() function that fails to validate the reference ID field early enough during CRAM file parsing, allowing two separate out-of-bounds reads before error detection. The vulnerability affects HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1, and can result in information disclosure through leaked memory values or application crashes when processing malicious or corrupted CRAM bioinformatics files. While the function reports an error after the reads occur, the window for exploitation exists and the practical impact depends on memory layout and application context.
HTSlib, a bioinformatics library for reading and writing sequence alignment formats, contains a null pointer dereference vulnerability in its CRAM format decoder affecting versions before 1.23.1, 1.22.2, and 1.21.1. The vulnerability exists in the CONST, XPACK, and XRLE encodings which fail to properly handle CRAM records with omitted sequence or quality data, causing attempts to write to NULL pointers when these records are decoded. An attacker can exploit this by providing a malformed CRAM file to any application using vulnerable HTSlib versions, resulting in denial of service through application crash, with no known active exploitation or public proof-of-concept at this time.
HTSlib contains a heap buffer overflow vulnerability in its CRAM decoder caused by an out-by-one error when validating feature boundaries. When a user opens a maliciously crafted CRAM file, an attacker can write one controlled byte beyond the end of a heap buffer, potentially causing application crashes, data corruption, or arbitrary code execution. Versions 1.23.1, 1.22.2, and 1.21.1 include fixes, and patches are available via the official GitHub repository.
HTSlib versions prior to 1.23.1, 1.22.2, and 1.21.1 contain a heap buffer overflow vulnerability in the cram_decode_seq() function when processing CRAM-formatted bioinformatics files with omitted sequence and quality data. An attacker can craft a malicious CRAM file that triggers an out-of-bounds read followed by an attacker-controlled single-byte write to heap memory, potentially enabling arbitrary code execution, data corruption, or denial of service when a user opens the file. No public exploit proof-of-concept has been identified, but the vulnerability is confirmed and patched by the HTSlib project.
Use-after-free in Linux kernel traffic control (net/sched) occurs when act_ct action returns TC_ACT_CONSUMED while a packet is held by the defragmentation engine, allowing local authenticated attackers with low privileges to achieve code execution, denial of service, or information disclosure. Affects Linux kernel 6.8 through 6.12.x and 6.18.x series. Vendor patches available across multiple stable branches (commits 524ce8b4, 380ad8b7, 9deda0fc, 11cb63b0). EPSS score of 0.02% (4th percentile) indicates very low observed exploitation likelihood despite 7.8 CVSS rating. No active exploitation confirmed; not listed in CISA KEV.
This vulnerability is a race condition in the Linux kernel's F2FS file system that causes flag inconsistency between concurrent atomic commit and checkpoint write operations. The issue affects all Linux kernel versions with F2FS support (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), allowing information disclosure through incorrect inode state recovery after sudden power-off (SPO) scenarios. An attacker with local file system access during atomic write operations could trigger the race condition, leading to potential data inconsistency and information leakage when the system recovers.
A divide-by-zero vulnerability exists in the Linux kernel's rivafb framebuffer driver in the nv3_arb() function, which can be triggered by unprivileged userspace applications via the FBIOPUT_VSCREENINFO ioctl call on /dev/fb* devices. An attacker can crash the kernel by crafting a malicious or misconfigured PCI device that exposes a bogus PRAMDAC MCLK PLL configuration, causing the state->mclk_khz divisor to become zero. This is a Denial of Service vulnerability affecting the Linux kernel across multiple stable versions, with patches available in the kernel git repository.
A vulnerability in the Linux kernel's f2fs (Flash-Friendly File System) implementation fails to validate node footer integrity during asynchronous read and write I/O operations, allowing corrupted node page data to trigger a kernel BUG and cause denial of service. This affects all Linux kernel versions using f2fs, particularly those processing untrusted or fuzzed filesystem images. An attacker with the ability to craft a malicious f2fs filesystem image can trigger a kernel panic when the corrupted node page is written back, resulting in system unavailability.
A logic error in the Linux kernel's AMD GPU driver causes system crashes when two AMD GPUs are present and only one supports ASPM (Active State Power Management). The vulnerability stems from a commit that was erroneously reapplied after being removed in a prior refactoring, leading to incorrect ASPM state evaluation across multiple devices. Systems running affected Linux kernel versions with heterogeneous AMD GPU configurations (mixed ASPM support) will experience denial of service through kernel crashes.
A memory leak vulnerability exists in the Linux kernel's regmap maple tree caching implementation where allocated memory is not freed when the mas_store_gfp() function fails during a write operation. This affects all Linux kernel versions containing the vulnerable regcache_maple_write() function, potentially allowing local attackers to exhaust kernel memory through repeated cache write failures. While no CVSS score or EPSS data is currently available, the vulnerability has been assigned CVE-2026-23260 and multiple stable kernel patches are available, indicating this is a recognized and actively addressed issue.
A memory management vulnerability exists in the Linux kernel's io_uring subsystem where allocated iovec buffers may fail to be properly freed when a read/write request cannot be recycled back to the rw_cache. This affects all Linux kernel versions with the vulnerable io_uring/rw code path, potentially allowing local attackers to trigger memory leaks that degrade system performance or enable denial of service conditions. The vulnerability has been patched in the Linux kernel stable trees as evidenced by the provided commit references.
A memory leak vulnerability exists in the Linux kernel's Liquidio network driver within the setup_nic_devices() function where the netdev pointer is not initialized in the oct->props[i].netdev structure before calling queue setup functions. If netif_set_real_num_rx_queues() or netif_set_real_num_tx_queues() fail, the allocated netdev memory is not freed because the cleanup function liquidio_destroy_nic_device() cannot locate it via the NULL pointer. This affects all Linux kernel versions with the Liquidio driver and allows for memory exhaustion through repeated device initialization failures.
A memory leak vulnerability exists in the Linux kernel's liquidio network driver within the setup_nic_devices() function, where an off-by-one error in the cleanup loop causes failure to deallocate the last successfully allocated device during error handling. The vulnerability affects Linux kernel versions across multiple stable branches (as evidenced by patches in 4.9, 4.14, 4.19, 5.4, 5.10, 5.15, and 5.16 stable trees per the kernel.org references). While this is a local denial-of-service vector through memory exhaustion rather than a direct code execution path, it could be leveraged by unprivileged users to degrade system stability over time.
This vulnerability is an off-by-one error in the Linux kernel's liquidio driver that causes a memory leak during virtual function (VF) setup failure cleanup. The vulnerability affects the Linux kernel across all versions where the liquidio net driver is compiled, as identified through the affected CPE (cpe:2.3:a:linux:linux). While this is a memory leak rather than a direct code execution vulnerability, it can be exploited to exhaust kernel memory resources, leading to denial of service.
A vulnerability in the Linux kernel's Generic Receive Offload (GRO) implementation for UDP traffic causes incorrect network offset calculations when processing encapsulated packets. The flaw affects all Linux kernel versions where the GRO subsystem handles UDP encapsulation, as specified in the CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*. When hardware NICs, the tun driver, or veth setups inject packets with the encapsulation flag set, the udp4_gro_complete() function incorrectly computes the outer UDP header pseudo checksum using the inner network offset, leading to checksum validation failures that can disrupt packet processing and potentially cause denial of service or packet drops. No active exploitation has been reported in the wild, and no public proof-of-concept code is known to exist, though the vulnerability is triggered through normal network operations involving UDP-encapsulated traffic.
This vulnerability is a missing exception fixup handler in the LoongArch architecture's BPF JIT compiler that fails to properly recover from memory access exceptions (ADEM) triggered by BPF_PROBE_MEM* instructions. The Linux kernel on LoongArch systems (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) is affected, potentially allowing information disclosure or denial of service when BPF programs attempt to safely probe memory locations. This is not actively exploited (no KEV status), but patches are available across multiple stable kernel branches.
A resource management vulnerability exists in the Linux kernel's Btrfs filesystem implementation where qgroup data reservations are incorrectly freed when an inline extent creation fails due to -ENOSPC (no space available). This causes the kernel to prematurely release qgroup quota accounting for data that will actually be used when the operation falls back to the normal copy-on-write path, potentially leading to qgroup quota inconsistencies and information disclosure about quota state. All Linux distributions using Btrfs with qgroup quota tracking enabled are affected. While no CVSS score or EPSS risk score has been assigned, the vulnerability has stable patches available in the Linux kernel repository.
A resource leak vulnerability exists in the Linux kernel's btrfs filesystem implementation where reserved qgroup data fails to be freed in error paths during inline extent insertion operations. This affects all Linux versions with vulnerable btrfs code, and allows local attackers with filesystem write access to exhaust kernel memory resources through repeated failed inline extent insertions, potentially causing denial of service. No active exploitation in the wild has been reported, but kernel memory exhaustion vulnerabilities are routinely targeted by local privilege escalation chains.
A specially crafted Socket.IO packet can cause the server to allocate unbounded memory by waiting for and buffering a large number of binary attachments, leading to denial of service through memory exhaustion. The vulnerability affects socket.io-parser versions across multiple major releases (v2.x, v3.x, and v4.x) used by Socket.IO server and client implementations. No EPSS score or KEV listing is available, but patches have been released by the vendor.
Zitadel's OAuth2/OIDC implementation contains an authentication bypass vulnerability (CWE-863: Improper Authorization) that allows unauthenticated attackers to circumvent organization enforcement controls during login. Affected versions 3.0.0-3.4.8 and 4.0.0-4.12.2 fail to validate organization membership scopes in device authorization flows and all Login V2/OIDC API V2 endpoints, enabling attackers to authenticate with users from unauthorized organizations. While the CVSS score of 5.3 indicates low-to-moderate severity with confidentiality impact only, the attack requires no privileges or user interaction and operates over the network, making it a practical concern for multi-tenant deployments.
A memory allocation failure vulnerability exists in the Linux kernel's XFS filesystem checking code where the xchk_xfile_*_descr macros call kasprintf with formatted strings that can exceed safe allocation limits, leading to potential denial of service or information disclosure. This affects Linux kernel versions 6.6 through 6.14 and later releases including 6.18.16, 6.19.6, and 7.0-rc1, with the vulnerability discoverable through syzbot fuzzing by researcher Jiaming Zhang. While no active exploitation has been confirmed, the issue represents a path to failure in a core filesystem validation component that could be triggered by malicious or malformed filesystem structures.
This vulnerability in the Linux kernel's XFS filesystem code involves improper pointer validation in xfarray and xfblob destructor functions, where the destructors can be called with invalid (dangling) pointers if the pointer is not properly nulled after deallocation. The vulnerability affects Linux kernel versions 6.9 through 6.10 and later patch versions, potentially allowing information disclosure or system instability. While no CVSS score or exploitation data is publicly available, the fix was backported across multiple kernel versions (6.12.75, 6.18.16, 6.19.6, 7.0-rc1) indicating recognition of the issue's significance across the kernel maintenance community.
A null pointer dereference vulnerability exists in the XFS filesystem checker (xchk_scrub_create_subord) in the Linux kernel, where the function returns a mangled ENOMEM error instead of NULL, and callers fail to properly validate the return value. This affects Linux kernel versions 6.2 through 6.10 and later stable branches, potentially allowing a local attacker with filesystem access to trigger a denial of service condition through unhandled memory allocation failures during XFS filesystem integrity checks.
A null pointer dereference vulnerability exists in the Linux kernel's XFS filesystem repair code when revalidating B-tree structures during fsck operations. The vulnerability affects Linux kernel versions across multiple release branches (6.8, 6.12.75, 6.18.16, 6.19.6, and 7.0-rc1) when the xfs_scrub utility attempts to repair both the free space B-tree (bnobt) and count B-tree (cntbt) simultaneously. An authenticated attacker with fsck/scrub privileges can trigger a kernel crash (denial of service) by injecting corruption markers via XFS_IOC_ERROR_INJECTION ioctl, causing the kernel to crash when the second B-tree revalidation is attempted after the first one fails and nullifies a required cursor.
A Denial of Service vulnerability exists in pypdf (Python PDF library) where an attacker can craft a malicious PDF file that causes excessive runtime and memory consumption by exploiting improper handling of array-based streams with large numbers of entries. All versions of pypdf prior to 6.9.1 are affected. An attacker can remotely trigger resource exhaustion on any system processing untrusted PDF files with this library, potentially causing application crashes or service unavailability.
Jenkins versions 2.442 through 2.554 and LTS 2.426.3 through 2.541.2 contain an origin validation bypass vulnerability in the CLI WebSocket endpoint that allows attackers to conduct DNS rebinding attacks. The vulnerability stems from improper use of Host and X-Forwarded-Host headers to compute expected request origins, enabling attackers to bypass authentication controls and potentially execute arbitrary commands through the CLI WebSocket interface. While no CVSS score, EPSS data, or active exploitation in the wild (KEV) status has been publicly disclosed, the vulnerability affects a critical Jenkins component and was responsibly disclosed by the Jenkins security team.
A stack out-of-bounds write vulnerability exists in the Linux kernel's mac80211 WiFi subsystem in the ieee80211_ml_reconfiguration function, where the link_id parameter extracted from the ML Reconfiguration element is not properly bounds-checked before being used as an array index. The vulnerability affects Linux kernel versions across multiple release branches (6.5 through 7.0-rc2), allowing an attacker with network proximity to craft a malicious WiFi frame to trigger a buffer overflow and potentially cause denial of service or code execution. While no CVSS score or EPSS data is currently published, the vulnerability has been assigned EUVD-2026-12809 and patches are available across stable kernel branches.
A memory allocation vulnerability exists in the Linux kernel's NVMe Persistent Reservation implementation where the nvme_pr_read_keys() function fails to properly handle large num_keys values passed from userspace, resulting in excessive memory allocation attempts up to 4MB that trigger page allocator warnings and potential denial of service. This affects Linux kernel versions across multiple stable branches (6.5, 6.12.77, 6.18.17, 6.19.7, and 7.0-rc3) and requires local access with ioctl privileges to trigger. The vulnerability is addressed through replacement of kzalloc() with kvzalloc() to support larger allocations via vmalloc fallback, and patches are available across multiple kernel stable branches.
A denial of service vulnerability in A cross-origin (CVSS 5.4). Remediation should follow standard vulnerability management procedures.
A denial of service vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
A bypass vulnerability in fast-xml-parser allows attackers to circumvent entity expansion limits through numeric character references (&#NNN;) and standard XML entities, causing denial of service via excessive memory allocation and CPU consumption. The vulnerability affects fast-xml-parser versions 5.x through 5.5.5, completely bypassing security controls added in the previous CVE-2026-26278 fix. A proof-of-concept demonstrates that even with strict limits configured (maxTotalExpansions=10), an attacker can inject 100,000+ numeric entities to consume hundreds of megabytes of memory.
Unbounded heap memory consumption in Micronaut HTTP Server versions 4.7.0 through 4.10.7 allows remote attackers to trigger denial of service via crafted exception messages that pollute an uncapped cache. By manipulating request parameters reflected in error responses, an unauthenticated attacker can exhaust server memory and cause OutOfMemoryError conditions. A patch is available in version 4.10.7 and later.
A security vulnerability in A vulnerability exists in the Community Tier of Harden-Runner that (CVSS 4.9). Remediation should follow standard vulnerability management procedures.
Devise's Confirmable module with the reconfirmable option enabled contains a race condition that allows attackers to confirm email addresses they don't control by sending concurrent email change requests. By exploiting the desynchronization between the confirmation token and unconfirmed email fields, an attacker can redirect a victim's email confirmation to their own account. This affects all Devise applications using the default Confirmable configuration with email changes, and is patched in Devise v5.0.3.
The NewXMLTree method in affected products is vulnerable to a denial of service condition where an out-of-bounds write of a single zero byte can trigger an application crash. An unauthenticated remote attacker can exploit this memory corruption vulnerability without user interaction to cause service disruption. No patch is currently available for this issue.
CVE-2026-29057 is a security vulnerability (CVSS 6.5) that allows request smuggling. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Next.js image optimization caches unbounded disk space by default, enabling attackers to exhaust storage and cause denial of service by requesting numerous image variants. The vulnerability affects applications using the default `/_next/image` optimization feature without explicit cache size limits. A patch is available that introduces configurable cache size limits with LRU eviction.
Unbounded request body buffering in Next.js App Router with Partial Prerendering enabled allows remote attackers to trigger denial of service through oversized `next-resume` POST requests that bypass size enforcement in non-minimal deployments. An attacker can exhaust server memory by sending specially crafted resume payloads without authentication or user interaction. The vulnerability affects applications with experimental PPR features enabled and has been patched with consistent size limit enforcement.
Server Action CSRF validation in Next.js incorrectly treats null origins from sandboxed contexts as missing origins, allowing attackers to bypass verification and trick victim browsers into executing state-changing actions with their credentials. This affects applications relying on origin checks for CSRF protection without additional safeguards. A patch is available that enforces strict origin validation unless null is explicitly allowlisted.
CVE-2026-27977 is a security vulnerability (CVSS 5.4). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
SQL injection in the Katello plugin for Red Hat Satellite 6 allows authenticated remote attackers to execute arbitrary SQL commands via the sort_by parameter in the /api/hosts/bootc_images endpoint. An attacker can exploit this flaw to trigger database errors causing denial of service or conduct blind SQL injection attacks to extract sensitive information from the database. No patch is currently available for this vulnerability.
In the Linux kernel, the following vulnerability has been resolved: audit: add missing syscalls to read class The "at" variant of getxattr() and listxattr() are missing from the audit read class.
In the Linux kernel, the following vulnerability has been resolved: audit: add fchmodat2() to change attributes class fchmodat2(), introduced in version 6.6 is currently not in the change attribute class of audit.
Authlib's implementation of the JWE RSA1_5 key management algorithm contains a padding oracle vulnerability that leaks decryption failures through timing and exception patterns, allowing attackers to decrypt sensitive data without the private key. The library disabled the constant-time protections provided by the underlying cryptography library and raises exceptions before tag validation completes, creating a reliable side-channel. Public exploit code exists for this vulnerability affecting Authlib users in Python and related Oracle products.
CVE-2026-27448 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60dec.c).
This issue affects Apache Spark: before 3.5.7 and 4.0.1.
The file-type library's ZIP file type detection functions fail to limit decompression output for known-size inputs, allowing attackers to craft small compressed ZIP files that expand to hundreds of megabytes in memory during processing. Applications processing untrusted file uploads are vulnerable to denial-of-service attacks that cause excessive memory consumption and potential crashes. Public exploit code exists for this vulnerability, though a patch is available.
Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript.