Suse

Use-after-free in Firefox JavaScript Engine before 148 and Thunderbird ESR 140.8. Separate UAF from CVE-2026-2763 and CVE-2026-2758.

JIT miscompilation causing use-after-free in Firefox JavaScript JIT compiler before 148. JIT bugs are highly exploitable due to their deterministic nature.

Use-after-free in Firefox JavaScript Engine before 148. One of multiple JS engine UAFs fixed in this release.

Integer overflow in Firefox JavaScript Standard Library before 148 leads to memory corruption through crafted JavaScript operations.

Second sandbox escape in Firefox WebRender component. CVSS 10.0 — independent path from CVE-2026-2760 to escape the content process sandbox.

Sandbox escape via boundary violation in Firefox WebRender graphics component. CVSS 10.0 — allows escaping the content sandbox to execute code with elevated privileges.

Boundary violation in Firefox ImageLib graphics component before 148 enables memory corruption through crafted images.

Use-after-free in Firefox JavaScript garbage collector before 148 allows remote code execution through crafted JavaScript.

Boundary violation in Firefox WebRTC Audio/Video component before 148 allows remote code execution through crafted WebRTC media streams.

Incorrect computation in CIRCL cryptographic library's CombinedMult function for secp384r1 (P-384) curve. Produces wrong elliptic curve multiplication results for specific inputs, potentially breaking ECDSA signature verification.

ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 are vulnerable to denial of service through a use-after-free flaw in the MSL interpreter when processing malformed map elements. An unauthenticated attacker can trigger a crash by crafting a specially formatted image file, disrupting service availability. No patch is currently available, leaving affected systems vulnerable.

OpenEXR versions 3.3.0-3.3.6 and 3.4.0-3.4.4 are vulnerable to a heap buffer overflow in file parsing due to improper integer handling when processing malformed EXR files, allowing attackers to trigger a denial of service through memory-mapped streams. Public exploit code exists for this vulnerability. Patched versions 3.3.7 and 3.4.5 are available.

yt-dlp is a command-line audio/video downloader. [CVSS 8.8 HIGH]

Medium severity vulnerability in ImageMagick. The pcd coder lacks proper boundary checking when processing Huffman-coded data. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read.

Imagemagick versions up to 7.1.2-15 is affected by loop with unreachable exit condition (infinite loop) (CVSS 6.2).

ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 are vulnerable to denial of service when processing maliciously crafted image profiles containing invalid IPTC data, which triggers an infinite loop during IPTCTEXT writing operations. An attacker can exploit this by supplying a specially crafted image file to cause the application to hang or consume excessive resources. No patch is currently available for affected systems.

ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 are vulnerable to denial of service when processing maliciously crafted SVG files due to an off-by-one error in boundary validation. An unauthenticated remote attacker can trigger an integer underflow by bypassing the flawed size check, causing the application to crash or become unresponsive. No patch is currently available for affected deployments.

ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 contain a memory leak in the MSL parser where improper stack index management causes images to remain allocated after error conditions. An attacker could trigger this vulnerability by supplying a specially crafted image file, potentially leading to denial of service through resource exhaustion. No patch is currently available for affected systems.

ImageMagick is free and open-source software used for editing and manipulating digital images. [CVSS 5.3 MEDIUM]

ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 are vulnerable to a heap buffer overflow in the YUV image decoder that allows remote attackers to trigger a denial of service condition by processing specially crafted YUV 4:2:2 images. The vulnerability stems from an off-by-one write error in the pixel processing loop that exceeds allocated buffer boundaries. No patch is currently available for affected installations.

Imagemagick versions up to 7.1.2-15 is affected by allocation of resources without limits or throttling (CVSS 7.5).

ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 are vulnerable to a heap-use-after-free condition when processing specially crafted MSL scripts, allowing unauthenticated remote attackers to cause denial of service. The vulnerability occurs when the operation element handler frees image data while the parser continues accessing it, leading to memory corruption during subsequent parsing operations. No patch is currently available for affected versions.

Medium severity vulnerability in ImageMagick. A heap out-of-bounds read vulnerability exists in the `coders/dcm.c` module. When processing DICOM files with a specific configuration, the decoder loop incorrectly reads bytes per iteration. This causes the function to read past the end of the allocated buffer, potentially leading to a Denial of Service (crash) or Information Disclosure (leaking heap memory into the image).

Medium severity vulnerability in ImageMagick. # Magick fails to check for circular references between two MSLs, leading to a stack overflow.

A signed integer overflow vulnerability in ImageMagick's SIXEL decoder allows an attacker to trigger memory corruption and denial of service when processing a maliciously crafted SIXEL image file. The vulnerability occurs during buffer reallocation operations where pointer arithmetic using signed 32-bit integers overflows. ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==143838==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 #0 0x7f379d5adb53 (/lib/x86_64-linux-gnu/libc.so.6+0xc4b53) ```

ImageMagick versions prior to 7.1.2-15 contain a memory leak in the ASHLAR image coder where allocated memory fails to release upon exception handling, potentially causing denial of service through resource exhaustion on affected systems. An unauthenticated remote attacker can trigger this condition by processing specially crafted ASHLAR image files. No patch is currently available.

High severity vulnerability in ImageMagick. A stack buffer overflow occurs when processing the an attribute in msl.c. A long value overflows a fixed-size stack buffer, leading to memory corruption.

Stack-based buffer overflow in ImageMagick versions before 7.1.2-15 allows remote attackers to crash the application and potentially corrupt memory by submitting specially crafted FTXT image files. The vulnerability requires high complexity to exploit but impacts both confidentiality and availability of affected systems. No patch is currently available for this HIGH severity issue (CVSS 7.4).

ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 allow local attackers to bypass the secure policy's stdin/stdout restrictions by using fd:<n> pseudo-filenames (e.g., fd:0, fd:1), enabling unauthorized reading and writing to standard streams. This vulnerability affects systems relying on ImageMagick's default security policies to prevent stream manipulation. No patch is currently available, though administrators can manually update their security policy configuration as a workaround.

ImageMagick before versions 7.1.2-15 and 6.9.13-40 allows local attackers to bypass path security policies and disclose sensitive files through path traversal sequences in filenames, as the policy enforcement occurs before filesystem resolution normalizes the paths. An attacker with local access can read restricted files like those in /etc/ even when policy-secure.xml is applied. A patch is not yet available, making this a significant risk for systems relying on ImageMagick's security policies for file access control.

ImageMagick's UIL and XPM image encoders fail to validate pixel index values before using them as array subscripts, allowing an attacker to craft malicious images that trigger out-of-bounds reads in HDRI builds. Exploitation can result in information disclosure or denial of service through process crashes. Versions prior to 7.1.2-15 and 6.9.13-40 are affected, and no patch is currently available.

ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 contain an integer overflow in the SUN image decoder that allows heap buffer overflow on 32-bit systems when processing specially crafted image files. Attackers can trigger this vulnerability remotely without authentication to cause denial of service or potentially achieve code execution. A patch is currently unavailable, leaving affected 32-bit installations at risk until updates are released.

New API LLM gateway versions before 0.10.8-alpha.9 are vulnerable to stored cross-site scripting through the MarkdownRenderer component, which fails to sanitize script tags in model outputs. An authenticated attacker with user interaction can inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. Public exploit code exists for this vulnerability, though a patch is available.

ImageMagick is free and open-source software used for editing and manipulating digital images. [CVSS 5.3 MEDIUM]

ImageMagick is free and open-source software used for editing and manipulating digital images. [CVSS 5.3 MEDIUM]

Arbitrary code injection in ImageMagick's PostScript and HTML encoders allows attackers to inject malicious code that executes when files are processed by downstream applications like Ghostscript or web viewers. The vulnerability affects versions prior to 7.1.2-15 and 6.9.13-40 due to insufficient input sanitization in the ps and html coders. Users processing untrusted image files are at risk of code execution, though no patch is currently available.

ImageMagick is free and open-source software used for editing and manipulating digital images. [CVSS 5.3 MEDIUM]

ImageMagick is free and open-source software used for editing and manipulating digital images. [CVSS 5.3 MEDIUM]

Integer overflow in ImageMagick's UHDR image decoder allows remote attackers to trigger heap buffer overflows by supplying specially crafted images with large dimensions, potentially crashing the application or corrupting heap memory. The vulnerability affects ImageMagick versions prior to 7.1.2-15 and requires no user interaction or authentication to exploit. Organizations using vulnerable versions should upgrade immediately, as no workaround is available.

ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 contain a memory leak in the MSL image coder that allows unauthenticated remote attackers to cause denial of service through resource exhaustion when processing specially crafted MSL image files. The vulnerability exists because the WriteMSLImage function fails to release allocated memory during early function returns. An attacker can exploit this over the network without authentication to exhaust server memory and crash the application.

ImageMagick is free and open-source software used for editing and manipulating digital images. [CVSS 5.3 MEDIUM]

Denial of service in New API's `/api/token/search` endpoint allows authenticated users to exhaust database resources through SQL wildcard injection in unescaped search parameters. An attacker can craft malicious search patterns that trigger expensive queries, causing service unavailability. Public exploit code exists for this medium-severity vulnerability affecting versions prior to 0.10.8-alpha.10.

Heap buffer over-read in ImageMagick and Magick.Net raw image format handlers allows local attackers to read sensitive data from heap memory when processing specially crafted images with mismatched extraction and size parameters. The vulnerability affects ImageMagick versions prior to 7.1.2-15 and 6.9.13-40, potentially exposing confidential information through out-of-bounds memory access. A patch is available for affected users.

ImageMagick is free and open-source software used for editing and manipulating digital images. [CVSS 7.5 HIGH]

ImageMagick and Magick.NET fail to properly validate nested MVG-to-SVG conversions, allowing unauthenticated remote attackers to trigger denial of service conditions. Affected versions prior to 7.1.2-15 and 6.9.13-40 are vulnerable to resource exhaustion attacks through specially crafted image files. A patch is available for both products.

Heap memory disclosure in ImageMagick's PSD file parser allows unauthenticated remote attackers to leak sensitive information from process memory by crafting malicious Photoshop files with improperly compressed layer data. Affected versions prior to 7.1.2-15 and 6.9.13-40 fail to properly validate decompressed data sizes, exposing uninitialized heap contents in generated output images. No patch is currently available for this vulnerability.

Denial of service in Valkey 9.0.0 through 9.0.2 allows unauthenticated network attackers to crash the server by exploiting improper networking state handling after empty requests. An attacker can trigger an assertion failure that causes the Valkey process to abort, impacting availability for all users. No patch is currently available; network isolation is recommended as a mitigation.

Out-of-bounds read in Valkey clusterbus port processing allows network-adjacent attackers to crash affected systems by sending specially crafted packets that bypass buffer validation checks. This vulnerability affects Valkey versions prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12, impacting any deployment exposing the clusterbus port to untrusted networks. Patches are available and administrators should restrict clusterbus access with network ACLs as an immediate mitigation.

Valkey is a distributed key-value database. [CVSS 8.5 HIGH]

saitoha libsixel until v1.8.7 was discovered to contain a memory leak via the component malloc_stub.c. [CVSS 4.0 MEDIUM]

libtiff up to v4.7.1 was discovered to contain a double free via the component tools/tiffcrop.c. [CVSS 5.0 MEDIUM]

libtiff up to v4.7.1 was discovered to contain a stack overflow via the readSeparateStripsIntoBuffer function. [CVSS 7.3 HIGH]

libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c. [CVSS 5.5 MEDIUM]

Flask versions 3.1.2 and earlier fail to set proper cache headers when the session object is accessed through certain methods like the Python `in` operator, allowing cached responses containing user-specific session data to be served to other users. An attacker can exploit this to access sensitive information from cached responses if the application runs behind a caching proxy that doesn't ignore Set-Cookie headers. This requires the vulnerable application to lack explicit Cache-Control headers and access session data in ways that bypass normal cache-control logic.

Werkzeug versions 3.1.5 and below on Windows fail to properly filter reserved device names in the safe_join function when paths contain multiple segments, allowing attackers to craft requests that trigger indefinite hangs by targeting special device names like NUL. Remote attackers can exploit this denial-of-service vulnerability against applications using send_from_directory to serve user-specified files. A patch is available in version 3.1.6.

GIMP is vulnerable to out-of-bounds memory write during XWD file parsing due to insufficient input validation, enabling arbitrary code execution when a user opens a malicious image file. This high-severity vulnerability (CVSS 7.8) affects local attackers who can craft specially crafted XWD files to corrupt memory and execute code with the privileges of the GIMP process. No patch is currently available.

Remote code execution in GIMP through heap buffer overflow during ICNS file parsing allows attackers to execute arbitrary code when a user opens a malicious image file. The vulnerability stems from insufficient validation of user-supplied data lengths before copying to heap memory, requiring only user interaction to trigger. A patch is available for affected installations.

Out-of-bounds write in GIMP's XWD file parser enables arbitrary code execution when users open malicious image files, requiring no special privileges or system access. Insufficient input validation during XWD file parsing allows attackers to overflow allocated buffers and execute code with the privileges of the affected user. A patch is available to address this vulnerability.

Arbitrary code execution in GIMP occurs when processing specially crafted PGM image files due to uninitialized memory access during file parsing. An attacker can exploit this vulnerability by tricking users into opening a malicious PGM file, resulting in code execution with the privileges of the GIMP process. A patch is available for this high-severity vulnerability (CVSS 7.8).

Authorization bypass in Kargo Kubernetes promotion tool from 1.7.0 before 1.7.8/1.8.11/1.9.3. Batch resource creation bypasses authorization checks. Patch available.

Kargo versions 1.9.0 through 1.9.2 fail to enforce the custom "promote" authorization verb in three REST API endpoints, allowing authenticated users with standard Kubernetes RBAC permissions to trigger promotions without the intended fine-grained access controls. An attacker with patch permissions on freight status or create permissions on promotions can bypass promotion pipeline restrictions and advance software artifacts unauthorized. A patch is available to restore the missing authorization checks.

Pypdf versions up to 6.7.1 is affected by allocation of resources without limits or throttling (CVSS 5.5).

Resource exhaustion in pypdf versions prior to 6.7.1 occurs when processing maliciously crafted PDF files with manipulated /ToUnicode font entries, causing excessive memory consumption and processing delays during text extraction operations. A local attacker with file access can exploit this to degrade system performance, though no code execution or data compromise is possible. The vulnerability affects Python environments using pypdf and is remedied by upgrading to version 6.7.1 or later.

Pypdf versions up to 6.7.1 is affected by loop with unreachable exit condition (infinite loop) (CVSS 5.5).

GIMP's ICO file parser fails to properly validate buffer lengths, enabling heap-based buffer overflow when processing malicious image files. An attacker can exploit this vulnerability to achieve remote code execution on affected systems by tricking users into opening specially crafted ICO files. A patch is available to address this high-severity flaw (CVSS 7.8).

Command injection in Deno versions prior to 2.6.8 allows unauthenticated remote attackers to execute arbitrary commands through the node:child_process implementation. Public exploit code exists for this vulnerability, which carries a CVSS score of 8.1 and affects the confidentiality, integrity, and availability of affected systems. Users should upgrade to Deno 2.6.8 or later to remediate this risk.

This affects versions of the package bn.j versions up to 5.2.3. is affected by loop with unreachable exit condition (infinite loop) (CVSS 5.3).

uTLS versions 1.6.0 through 1.8.0 fail to properly mimic Chrome's cipher suite selection behavior when using GREASE ECH, randomly choosing ChaCha20 for encrypted client hello while consistently using AES for the outer handshake—a mismatch that does not occur in actual Chrome and creates detectable fingerprints. This inconsistency affects users relying on uTLS for fingerprinting resistance and could enable network observers to distinguish uTLS traffic from legitimate Chrome connections. A patch is available to correct the cipher suite selection logic.

Minimatch versions 10.2.0 and below suffer from catastrophic backtracking in regular expression processing when glob patterns contain multiple consecutive wildcards, enabling denial of service attacks with exponential time complexity. Applications that process user-supplied glob patterns are vulnerable to CPU exhaustion, with worst-case scenarios causing indefinite hangs; public exploit code exists for this vulnerability. The issue is resolved in version 10.2.1.

uTLS versions 1.6.7 and below fail to validate TLS 1.3 downgrade protection mechanisms, allowing network attackers to force ClientHello modifications that cause servers to respond with lower TLS versions while bypassing detection checks. An active attacker can exploit this to downgrade encrypted connections to TLS 1.2 or earlier, potentially exposing traffic to known cryptographic weaknesses. Affected users of uTLS, Red Hat, and other TLS implementations should update to patched versions immediately.

Path traversal in node-tar versions 7.5.7 and earlier allows local attackers to read and write arbitrary files outside the extraction directory by crafting malicious tar archives containing hardlinks that bypass extraction path validation. Public exploit code exists for this vulnerability, which affects default extraction configurations in Node.js and related Tar implementations. The vulnerability has been patched in node-tar 7.5.8.

Calibre versions 9.2.1 and below allow authenticated users to write arbitrary files with any extension to any writable location via path traversal in PDB file readers, potentially enabling code execution or system compromise through file overwriting. The vulnerability affects both 132-byte and 202-byte PDB header variants and silently overwrites existing files without warning. Public exploit code exists and patches are available in version 9.3.0 and later.

Remote code execution in Calibre 9.2.1 and earlier allows authenticated users to write arbitrary files via a path traversal flaw in the extract_pictures() function that fails to properly sanitize directory traversal sequences. On Windows systems, attackers can exploit this to write malicious payloads to the Startup folder, achieving code execution upon the next user login. Public exploit code exists for this vulnerability, and a patch is available in version 9.3.0.

Cilium versions 1.18.0-1.18.5 with Native Routing, WireGuard, and Node Encryption enabled incorrectly allow cross-node Pod traffic that should be blocked, enabling unauthorized network access between isolated workloads. An attacker with network access to pods on different nodes can bypass network segmentation policies to access restricted services. The vulnerability affects deployments using these specific Cilium configurations and is resolved in version 1.18.6.

Go Ethereum (Geth) versions prior to 1.16.9 contain a cryptographic implementation flaw in ECIES that allows remote attackers to extract portions of the p2p node key without authentication. This exposure could compromise the confidentiality of node communications and potentially enable impersonation or network-level attacks against affected Ethereum nodes. Administrators should upgrade to version 1.16.9 or later and rotate their node keys by deleting the nodekey file.

Geth versions prior to 1.16.9 can be remotely crashed by sending a specially crafted message over the network, allowing unauthenticated attackers to cause denial of service against Ethereum nodes. This vulnerability in Go Ethereum's message handling requires no user interaction and affects the availability of affected nodes. Patched versions 1.16.9 and 1.17.0 are available to remediate this issue.

Go Ethereum versions up to 1.17.0 is affected by allocation of resources without limits or throttling (CVSS 7.5).

Command injection in systeminformation versions before 5.31.0 allows local attackers with user privileges to execute arbitrary system commands through unsanitized output parsing in the versions() function. Public exploit code exists for this vulnerability, which provides complete system compromise capabilities including information disclosure, modification, and denial of service. Upgrade to version 5.31.0 or later to remediate.

Arbitrary command execution in systeminformation versions before 5.30.8 allows local attackers to execute OS commands through an unsanitized network interface parameter in the wifiNetworks() function's retry logic. Applications passing user-controlled input to this function are vulnerable to privilege escalation attacks running with Node.js process permissions. Public exploit code exists for this vulnerability; a patch is available.

Fast XML Parser versions 4.1.3 through 5.3.5 are vulnerable to XML entity expansion attacks that allow remote attackers to cause denial of service by forcing unbounded entity expansion with minimal payload sizes. Public exploit code exists for this vulnerability, enabling attackers to freeze or severely degrade application performance. Upgrade to version 5.3.6 or disable entity processing using the `processEntities: false` option to mitigate the risk.

emp3r0r C2 framework versions prior to 3.21.2 crash due to unsynchronized concurrent map access in Go goroutines, allowing attackers with network access to trigger denial of service against the C2 infrastructure. Public exploit code exists for this vulnerability. The issue is resolved in version 3.21.2 and later.

Heap buffer overflow in HDF5 versions prior to 1.14.4-2 allows attackers to trigger denial-of-service or potentially achieve code execution by crafting malicious h5 files. The vulnerability affects any system parsing untrusted HDF5 data files and has public exploit code available. A patch is not yet available, leaving affected deployments at risk.

QEMU's VMDK image parser is vulnerable to an out-of-bounds read when processing maliciously crafted disk images, allowing local attackers to leak sensitive information or trigger denial of service. This vulnerability affects systems running QEMU with untrusted VMDK input and currently lacks an available patch.

Incorrect permissions in Kata Containers allow container escape via file permission manipulation. PoC and patch available.

An Open Redirect vulnerability in the go-chi/chi >=5.2.2 RedirectSlashes function allows remote attackers to redirect victim users to malicious websites using the legitimate website domain. [CVSS 4.7 MEDIUM]

Unauthenticated remote file read in Echo web framework versions 5.0.0-5.0.2 on Windows allows attackers to traverse outside the static root directory and access arbitrary files via backslash path sequences in requests. The vulnerability stems from improper path normalization where path.Clean() does not treat backslashes as separators, but the underlying os.Open() call on Windows does, enabling directory traversal. Public exploit code exists for this medium-severity vulnerability, though a patch is available in version 5.0.3.

Out-of-bounds memory reads in Open Babel's MOL2 file handler (via OBAtom::SetFormalCharge function) allow remote attackers to trigger denial of service through malicious molecule files. Public exploit code is available for this vulnerability, which remains unpatched as of the advisory date. Versions up to 3.1.1 are affected.

Out-of-bounds read in Open Babel's CIF file handler (versions up to 3.1.1) allows remote denial of service when processing malicious files. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can trigger a crash by sending specially crafted input to the affected transform3d function without requiring authentication or user interaction beyond opening a file.

Unauthenticated file upload in Gogs self-hosted Git service 0.13.4 and below. Default configuration exposes file upload endpoints. PoC and patch available.

Gogs is an open source self-hosted Git service. [CVSS 8.8 HIGH]