Redhat

Heap buffer over-read in ImageMagick and Magick.NET's DJVU image handler allows local attackers to read out-of-bounds memory through integer truncation in stride calculations. An attacker can trigger this vulnerability by supplying a malicious DJVU file, potentially leading to information disclosure or application crashes. Updates are available for ImageMagick versions 7.1.2-15, 6.9.13-40 and later.

Magick.NET and ImageMagick versions before 7.1.2-15 and 6.9.13-40 are vulnerable to heap buffer over-read when processing low-resolution images with the wavelet-denoise filter, allowing local attackers to read sensitive memory. This out-of-bounds read could expose confidential information from adjacent heap memory with no possibility of code execution or denial of service. A patch is available for affected users.

An integer overflow in FreeRDP's Stream_EnsureCapacity function prior to version 3.23.0 can trigger an endless blocking loop, causing denial of service on affected client and server implementations. This vulnerability primarily impacts 32-bit systems with sufficient physical memory and has public exploit code available. Administrators should upgrade to FreeRDP 3.23.0 or later to remediate this issue.

FreeRDP versions prior to 3.23.0 contain an incomplete fix for a heap-use-after-free vulnerability that affects only the SDL2 code path, where freed memory pointers are not properly nulled, allowing an unauthenticated attacker to trigger a denial of service condition. Users running FreeRDP with SDL2 backends remain vulnerable despite the advisory claiming the issue was resolved. Upgrade to version 3.23.0 or later to obtain the complete fix.

Injection vulnerability in Storybook frontend workshop before 7.6.23 allows injecting malicious content through component stories. Patch available.

FreeRDP is a free implementation of the Remote Desktop Protocol. [CVSS 7.5 HIGH]

Denial of service in FreeRDP prior to version 3.23.0 allows a malicious RDP server to crash the client application through a missing bounds check in smartcard packet handling. This vulnerability affects users who have explicitly enabled smartcard redirection, and public exploit code exists. The crash is triggered via assertion failure in builds with verbose assert checking enabled, which is the default configuration in FreeRDP 3.22.0.

FreeRDP is a free implementation of the Remote Desktop Protocol. [CVSS 8.8 HIGH]

FreeRDP is a free implementation of the Remote Desktop Protocol. [CVSS 8.8 HIGH]

FreeRDP versions prior to 3.23.0 are vulnerable to a buffer overread in icon data processing that allows denial of service when clients receive crafted RDP Window Icon data from a server or network attacker. An unauthenticated remote attacker can exploit this vulnerability to crash the FreeRDP client by sending malicious icon structures during the RDP connection. A patch is available in version 3.23.0 and later.

Use-after-free in FreeRDP xf_clipboard_format_equal before 3.23.0. Clipboard format comparison uses freed memory. Fifth FreeRDP UAF. PoC and patch available.

Use-after-free in FreeRDP xf_cliprdr_provide_data clipboard handling before 3.23.0. Clipboard data exchange triggers memory corruption. PoC and patch available.

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Different code path from CVE-2026-25953. PoC and patch available.

FreeRDP is a free implementation of the Remote Desktop Protocol. [CVSS 7.5 HIGH]

Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Surface-to-window update triggers memory corruption. PoC and patch available.

Use-after-free in FreeRDP xf_SetWindowMinMaxInfo before version 3.23.0. X11 client window management triggers memory corruption. PoC and patch available.

FreeRDP is a free implementation of the Remote Desktop Protocol. [CVSS 7.5 HIGH]

FreeRDP is a free implementation of the Remote Desktop Protocol. [CVSS 4.3 MEDIUM]

LangChain's RecursiveUrlLoader in @langchain/community versions prior to 1.1.18 fails to validate redirect targets, allowing authenticated attackers to bypass SSRF protections by redirecting from whitelisted URLs to internal or metadata endpoints. An attacker with user credentials can exploit this to access sensitive internal resources or cloud metadata services through automatic redirect following. Affected applications should upgrade to version 1.1.18, which disables automatic redirects and re-validates each redirect destination.

Remote code execution in LangGraph's caching layer affects applications that explicitly enable cache backends inheriting from BaseCache with nodes opted into caching via CachePolicy. An attacker can exploit unsafe deserialization through pickle when msgpack serialization fails, allowing arbitrary code execution on affected systems. This vulnerability requires explicit cache configuration and does not affect default deployments.

OpenSIPS 3.1 through 3.6.3 with the auth_jwt module is vulnerable to SQL injection in the jwt_db_authorize() function when database mode is enabled, allowing unauthenticated attackers to bypass JWT authentication by injecting malicious SQL through the tag claim without prior signature verification. An attacker can exploit this to manipulate query results and impersonate arbitrary user identities. No patch is currently available for this vulnerability.

JNDI injection in mchange-commons-java library allows remote code execution through crafted JNDI lookup strings. Similar to Log4Shell attack pattern. PoC and patch available.

Path traversal in basic-ftp Node.js FTP client library before 5.2.0 allows malicious FTP servers to write files outside the intended download directory. PoC and patch available.

Denial of Service in Red Hat Developer Hub's Orchestrator Plugin allows authenticated users to crash the entire Backstage application through malformed GraphQL queries due to insufficient input validation. An attacker can leverage this to temporarily disable platform access for all legitimate users. No patch is currently available to address this vulnerability.

Unprivileged users can extract LUKS encryption headers from the udisks daemon due to missing authorization checks on a privileged D-Bus method, allowing attackers to read sensitive cryptographic metadata and potentially compromise encrypted storage confidentiality. The vulnerability affects systems running vulnerable versions of udisks and requires local access to exploit. No patch is currently available.

Improper authorization in the udisks D-Bus API allows local unprivileged users to manipulate LUKS encryption headers on block devices with root privileges, potentially destroying encryption keys and rendering volumes inaccessible. An attacker with local access can exploit this to cause permanent data loss through denial-of-service. No patch is currently available for this vulnerability.

URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool. [CVSS 4.6 MEDIUM]

Pypdf versions up to 6.7.2 is affected by loop with unreachable exit condition (infinite loop) (CVSS 7.5).

Path traversal in Rollup JavaScript module bundler before 2.80.0/3.30.0/4.59.0 allows reading arbitrary files on the build server during bundling. PoC and patch available.

Wasmtime's HTTP header handling in the wasmtime-wasi-http crate crashes when processing excessive header fields, allowing remote attackers to trigger denial of service against applications embedding Wasmtime. The vulnerability affects versions prior to 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0, and has been patched to return a controlled trap instead of panicking. Embedders should update immediately to mitigate this DoS vector.

Uncontrolled resource allocation in Wasmtime's WASI host interfaces allows authenticated guests to trigger denial of service on the host system by exhausting resources without proper limits. Affected versions prior to 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 require explicit configuration to mitigate this issue, though Wasmtime 42.0.0 and later provide secure defaults. No patch is currently available for older versions, and resource exhaustion protections must be manually enabled.

Wasmtime versions 39.0.0 and later experience a denial-of-service panic when async WebAssembly component functions are called and then abandoned by the host before completion, such as when the Future is dropped after a single poll during an async yield. This affects applications using Wasmtime's component model with async support, allowing an attacker to crash the runtime through specially crafted async function invocations. A patch is available to address this stability issue.

NATS Server versions prior to 2.11.2 and 2.12.3 fail to properly limit memory allocation during WebSocket compression, allowing unauthenticated attackers to trigger denial of service through compression bomb attacks that exhaust server memory. The vulnerability is exploitable pre-authentication since compression negotiation occurs before credential validation. A patch is available in versions 2.11.2 and 2.12.3.

Memory safety bugs in Firefox 147 and Thunderbird 147 with evidence of memory corruption. Mainline-only bugs not present in ESR branches.

Uninitialized memory read in Firefox Graphics Text component before 148. Text rendering may expose uninitialized memory contents.

Invalid pointer in Firefox DOM Core & HTML before 148. Incorrect pointer computation leads to memory access errors.

A use-after-free vulnerability in Firefox and Thunderbird's JavaScript WebAssembly engine allows remote attackers to achieve information disclosure or data manipulation through a malicious webpage or email attachment that requires user interaction. Affected versions include Firefox below 148 and Thunderbird below 148, with no patch currently available. The vulnerability has a network attack vector with low complexity and carries a CVSS score of 5.4.

The Settings UI component in Firefox and Thunderbird versions prior to 148 fails to properly restrict access to sensitive configuration data, enabling unauthenticated attackers to remotely disclose confidential information without user interaction. This vulnerability bypasses existing security mitigations designed to protect user settings and preferences. No patch is currently available for affected users.

Firefox and Thunderbird versions below 148 contain a race condition in the JavaScript garbage collection component that could allow an attacker to access or modify limited data through specially crafted content requiring user interaction. The vulnerability has a CVSS score of 4.2 and currently lacks an available patch.

Improper boundary condition handling in the JavaScript/WebAssembly engine of Firefox and Thunderbird before version 148 enables remote denial of service attacks without requiring user interaction or privileges. An attacker can crash affected applications or cause service unavailability by sending specially crafted content. No patch is currently available.

Spoofing in Firefox for Android WebAuthn component before 148. Allows phishing attacks through WebAuthn UI manipulation.

Use-after-free in Firefox DOM Core & HTML before 148. DOM object lifecycle error.

A use-after-free vulnerability in Firefox and Thunderbird's DOM processing allows remote attackers to execute arbitrary code through a malicious webpage or email attachment, requiring only user interaction to trigger. This affects Firefox versions below 148 and Thunderbird versions below 148, with no patch currently available.

Use-after-free in Firefox JavaScript GC before 148. Second GC UAF, different from CVE-2026-2795.

JIT miscompilation in Firefox WebAssembly before 148. The JIT compiler generates incorrect Wasm code, enabling type confusion. PoC available.

Use-after-free in Firefox JavaScript GC component before 148. GC-specific UAF affecting only mainline Firefox and Thunderbird.

Uninitialized memory in Firefox and Firefox Focus for Android versions prior to 148 enables remote attackers to read sensitive data without authentication or user interaction. The vulnerability allows information disclosure through memory that was not properly cleared before use, potentially exposing confidential user information to network-based attackers.

Memory safety bugs in Firefox ESR 115.32, ESR 140.7, and Firefox 147. Broader set of memory corruption issues than CVE-2026-2792.

Memory safety bugs in Firefox ESR 140.7 and Firefox 147 with evidence of memory corruption and potential code execution exploitability.

Cache-based mitigation bypass in Firefox Networking before 148. Caching mechanism can be exploited to bypass security mitigations.

Same-origin policy bypass in Firefox Networking JAR component before 148. Allows cross-origin data access through JAR protocol handling.

Use-after-free in Firefox ImageLib graphics component before 148. Image processing triggers use of freed memory.

Boundary error in Firefox Audio/Video GMP (Gecko Media Plugins) component before 148. Media plugin processing triggers memory corruption.

Use-after-free in Firefox DOM Window and Location component before 148. Window/Location lifecycle management error.

Use-after-free in Firefox JavaScript Engine before 148. Fourth distinct JS engine UAF in this release.

Invalid pointer in Firefox JavaScript Engine before 148. Incorrect pointer computation leads to memory corruption.

DOM Security mitigation bypass in Firefox before 148. Security mechanisms protecting DOM operations can be circumvented.

Unauthenticated attackers can extract sensitive information from Firefox and Thunderbird users through a JavaScript engine JIT compilation flaw, affecting all versions prior to Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. The vulnerability requires no user interaction and can be exploited remotely over the network. No patch is currently available for this high-severity flaw.

Privilege escalation in Firefox Netmonitor component before 148. Second Netmonitor privilege escalation, separate from CVE-2026-2780.

Integer overflow in Firefox NSS (Network Security Services) Libraries component before 148. Overflow in the cryptographic library could affect TLS and certificate operations.

Privilege escalation in Firefox Netmonitor component before 148. Developer tools component allows escalation from content to higher privileges.

Boundary error in Firefox Networking JAR component before 148. Processing JAR (Java Archive) content triggers memory corruption.

Sandbox escape via DOM Core & HTML component in Firefox before 148. CVSS 10.0 — fifth sandbox escape in this release.

Privilege escalation in Firefox Messaging System component before 148. The inter-process messaging system allows escalation from content to privileged process.

Sandbox escape via Telemetry component in Firefox external software before 148. CVSS 10.0 — fourth sandbox escape in this release, through the telemetry subsystem.

HTML parser mitigation bypass in Firefox DOM before 148. Bypasses content sanitization protections via alternate authentication path in the HTML parser.

Integer overflow in Firefox Audio/Video component before 148. Overflow in media processing leads to incorrect memory allocations.

Boundary error in Firefox Web Audio component before 148. Crafted audio processing triggers memory corruption.

Use-after-free in Firefox Audio/Video Playback component before 148. Media playback triggers memory corruption.

Undefined behavior in Firefox DOM Core & HTML component before 148. Can lead to memory corruption and potential code execution.

Use-after-free in Firefox DOM Bindings (WebIDL) component before 148. Memory corruption in the interface between JavaScript and native DOM objects.

A use-after-free vulnerability in the IndexedDB storage component of Firefox and Thunderbird allows remote attackers to achieve arbitrary code execution through user interaction. Affected versions include Firefox below 148, Firefox ESR below 115.33 and 140.8, and Thunderbird below 148 and 140.8. No patch is currently available for this high-severity flaw.

Sandbox escape via IndexedDB in Firefox before 148 and Thunderbird. CVSS 10.0 — the Storage: IndexedDB component allows escaping the content process sandbox.

Use-after-free in Firefox JavaScript WebAssembly component before 148. WebAssembly-specific memory management bug.

Use-after-free in Firefox JavaScript JIT compiler before 148. Second JIT-related UAF in this release, different from CVE-2026-2764.

Use-after-free in Firefox JavaScript Engine before 148 and Thunderbird ESR 140.8. Separate UAF from CVE-2026-2763 and CVE-2026-2758.

JIT miscompilation causing use-after-free in Firefox JavaScript JIT compiler before 148. JIT bugs are highly exploitable due to their deterministic nature.

Use-after-free in Firefox JavaScript Engine before 148. One of multiple JS engine UAFs fixed in this release.

Integer overflow in Firefox JavaScript Standard Library before 148 leads to memory corruption through crafted JavaScript operations.

Second sandbox escape in Firefox WebRender component. CVSS 10.0 — independent path from CVE-2026-2760 to escape the content process sandbox.

Sandbox escape via boundary violation in Firefox WebRender graphics component. CVSS 10.0 — allows escaping the content sandbox to execute code with elevated privileges.

Boundary violation in Firefox ImageLib graphics component before 148 enables memory corruption through crafted images.

Use-after-free in Firefox JavaScript garbage collector before 148 allows remote code execution through crafted JavaScript.

Boundary violation in Firefox WebRTC Audio/Video component before 148 allows remote code execution through crafted WebRTC media streams.

ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 are vulnerable to denial of service through a use-after-free flaw in the MSL interpreter when processing malformed map elements. An unauthenticated attacker can trigger a crash by crafting a specially formatted image file, disrupting service availability. No patch is currently available, leaving affected systems vulnerable.

OpenEXR versions 3.3.0-3.3.6 and 3.4.0-3.4.4 are vulnerable to a heap buffer overflow in file parsing due to improper integer handling when processing malformed EXR files, allowing attackers to trigger a denial of service through memory-mapped streams. Public exploit code exists for this vulnerability. Patched versions 3.3.7 and 3.4.5 are available.

yt-dlp is a command-line audio/video downloader. [CVSS 8.8 HIGH]

Medium severity vulnerability in ImageMagick. The pcd coder lacks proper boundary checking when processing Huffman-coded data. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read.

Imagemagick versions up to 7.1.2-15 is affected by loop with unreachable exit condition (infinite loop) (CVSS 6.2).

ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 are vulnerable to denial of service when processing maliciously crafted image profiles containing invalid IPTC data, which triggers an infinite loop during IPTCTEXT writing operations. An attacker can exploit this by supplying a specially crafted image file to cause the application to hang or consume excessive resources. No patch is currently available for affected systems.