Vulners
Lucene search
Linux Distros Unpatched Vulnerability : CVE-2026-2391
10
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(298899);
script_version("1.7");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/22");
script_cve_id("CVE-2026-2391");
script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2026-2391");
script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.
- ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma:
true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of
the array limit enforcement, similar to the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p
(CVE-2025-15284). ### Details When the `comma` option is set to `true` (not the default, but configurable
in applications), qs allows parsing comma-separated strings as arrays (e.g., `?param=a,b,c` becomes `['a',
'b', 'c']`). However, the limit check for `arrayLimit` (default: 20) and the optional throwOnLimitExceeded
occur after the comma-handling logic in `parseArrayValue`, enabling a bypass. This permits creation of
arbitrarily large arrays from a single parameter, leading to excessive memory allocation. **Vulnerable
code** (lib/parse.js: lines ~40-50): ```js if (val && typeof val === 'string' && options.comma &&
val.indexOf(',') > -1) { return val.split(','); } if (options.throwOnLimitExceeded && currentArrayLength
>= options.arrayLimit) { throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + '
element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.'); } return val; ``` The
`split(',')` returns the array immediately, skipping the subsequent limit check. Downstream merging via
`utils.combine` does not prevent allocation, even if it marks overflows for sparse arrays.This discrepancy
allows attackers to send a single parameter with millions of commas (e.g., `?param=,,,,,,,,...`),
allocating massive arrays in memory without triggering limits. It bypasses the intent of `arrayLimit`,
which is enforced correctly for indexed (`a[0]=`) and bracket (`a[]=`) notations (the latter fixed in
v6.14.1 per GHSA-6rw7-vpxm-498p). ### PoC **Test 1 - Basic bypass:** ``` npm install qs ``` ```js const qs
= require('qs'); const payload = 'a=' + ','.repeat(25); // 26 elements after split (bypasses arrayLimit:
5) const options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true }; try { const result =
qs.parse(payload, options); console.log(result.a.length); // Outputs: 26 (bypass successful) } catch (e) {
console.log('Limit enforced:', e.message); // Not thrown } ``` **Configuration:** - `comma: true` -
`arrayLimit: 5` - `throwOnLimitExceeded: true` Expected: Throws Array limit exceeded error. Actual:
Parses successfully, creating an array of length 26. ### Impact Denial of Service (DoS) via memory
exhaustion. (CVE-2026-2391)
Note that Nessus relies on the presence of the package as reported by the vendor.");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2026-2391");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-2391");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2026-2391");
script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
script_set_attribute(attribute:"agent", value:"unix");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:U/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:U/RC:C");
script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N");
script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-2391");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2026/02/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/02/13");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:24.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.10");
script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7");
script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:8");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:13.0");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:10");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:9");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:node-qs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:firefox");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:firefox-x11");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:gjs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:gjs-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-azure-monitor");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-cloudwatch");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-elasticsearch");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-graphite");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-influxdb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-loki");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-mssql");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-mysql");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-opentsdb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-postgres");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-prometheus");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-selinux");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:grafana-stackdriver");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:mozjs60");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:mozjs60-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pcs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pcs-snmp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:polkit");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:polkit-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:polkit-docs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:polkit-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:sgx-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:sgx-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:sgx-mpa");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:sgx-pckid-tool");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:tdx-qgs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:thunderbird");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:node-qs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:firefox");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:firefox-x11");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gjs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gjs-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-azure-monitor");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-cloudwatch");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-elasticsearch");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-graphite");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-influxdb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-loki");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-mssql");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-mysql");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-opentsdb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-postgres");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-prometheus");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-selinux");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:grafana-stackdriver");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mozjs60");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mozjs60-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pcs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pcs-snmp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:polkit");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:polkit-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:polkit-docs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:polkit-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sgx-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sgx-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sgx-mpa");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sgx-pckid-tool");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tdx-qgs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:thunderbird");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
script_require_ports("Host/OS/CentOS Linux-7", "Host/OS/CentOS Linux-8", "Host/OS/Debian Linux-11", "Host/OS/Debian Linux-12", "Host/OS/Debian Linux-13", "Host/OS/Red Hat Enterprise Linux-10", "Host/OS/Red Hat Enterprise Linux-7", "Host/OS/Red Hat Enterprise Linux-8", "Host/OS/Red Hat Enterprise Linux-9", "Host/OS/Ubuntu Linux-14.04", "Host/OS/Ubuntu Linux-16.04", "Host/OS/Ubuntu Linux-18.04", "Host/OS/Ubuntu Linux-20.04", "Host/OS/Ubuntu Linux-22.04", "Host/OS/Ubuntu Linux-24.04", "Host/OS/Ubuntu Linux-25.10");
exit(0);
}
if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/CentOS/rpm-list")) && empty_or_null(get_one_kb_item("Host/Debian/dpkg-l")) && empty_or_null(get_one_kb_item("Host/RedHat/rpm-list"))) audit(AUDIT_PACKAGE_LIST_MISSING);
include('linux_unpatched.inc');
var distro_constraints_array = {
"Debian Linux-11": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "11",
"pkgs": [
{"reference": "node-qs"}
]
}
]
},
"Debian Linux-12": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "12",
"pkgs": [
{"reference": "node-qs"}
]
}
]
},
"Debian Linux-13": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "13",
"pkgs": [
{"reference": "node-qs"}
]
}
]
},
"Ubuntu Linux-14.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "14.04",
"pkgs": [
{"reference": "node-qs"}
]
}
]
},
"Ubuntu Linux-16.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "16.04",
"pkgs": [
{"reference": "node-qs"}
]
}
]
},
"Ubuntu Linux-18.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "18.04",
"pkgs": [
{"reference": "node-qs"}
]
}
]
},
"Ubuntu Linux-20.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "20.04",
"pkgs": [
{"reference": "node-qs"}
]
}
]
},
"Ubuntu Linux-22.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "22.04",
"pkgs": [
{"reference": "node-qs"}
]
}
]
},
"Ubuntu Linux-24.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "24.04",
"pkgs": [
{"reference": "node-qs"}
]
}
]
},
"Ubuntu Linux-25.10": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "25.10",
"pkgs": [
{"reference": "node-qs"}
]
}
]
},
"Red Hat Enterprise Linux-10": {
"package_manager": "rpm-list",
"constraints": [
{
"release": "10",
"pkgs": [
{"reference": "firefox"},
{"reference": "gjs"},
{"reference": "gjs-devel"},
{"reference": "sgx-common"},
{"reference": "sgx-libs"},
{"reference": "sgx-mpa"},
{"reference": "sgx-pckid-tool"},
{"reference": "tdx-qgs"},
{"reference": "thunderbird"}
]
}
]
},
"CentOS Linux-7": {
"package_manager": "rpm-list",
"constraints": [
{
"release": "7",
"pkgs": [
{"reference": "firefox"}
]
}
]
},
"Red Hat Enterprise Linux-7": {
"package_manager": "rpm-list",
"constraints": [
{
"release": "7",
"pkgs": [
{"reference": "firefox"}
]
}
]
},
"CentOS Linux-8": {
"package_manager": "rpm-list",
"constraints": [
{
"release": "8",
"pkgs": [
{"reference": "firefox"},
{"reference": "grafana"},
{"reference": "grafana-azure-monitor"},
{"reference": "grafana-cloudwatch"},
{"reference": "grafana-elasticsearch"},
{"reference": "grafana-graphite"},
{"reference": "grafana-influxdb"},
{"reference": "grafana-loki"},
{"reference": "grafana-mssql"},
{"reference": "grafana-mysql"},
{"reference": "grafana-opentsdb"},
{"reference": "grafana-postgres"},
{"reference": "grafana-prometheus"},
{"reference": "grafana-selinux"},
{"reference": "grafana-stackdriver"},
{"reference": "mozjs60"},
{"reference": "mozjs60-devel"},
{"reference": "pcs"},
{"reference": "pcs-snmp"},
{"reference": "thunderbird"}
]
}
]
},
"Red Hat Enterprise Linux-8": {
"package_manager": "rpm-list",
"constraints": [
{
"release": "8",
"pkgs": [
{"reference": "firefox"},
{"reference": "grafana"},
{"reference": "grafana-azure-monitor"},
{"reference": "grafana-cloudwatch"},
{"reference": "grafana-elasticsearch"},
{"reference": "grafana-graphite"},
{"reference": "grafana-influxdb"},
{"reference": "grafana-loki"},
{"reference": "grafana-mssql"},
{"reference": "grafana-mysql"},
{"reference": "grafana-opentsdb"},
{"reference": "grafana-postgres"},
{"reference": "grafana-prometheus"},
{"reference": "grafana-selinux"},
{"reference": "grafana-stackdriver"},
{"reference": "mozjs60"},
{"reference": "mozjs60-devel"},
{"reference": "pcs"},
{"reference": "pcs-snmp"},
{"reference": "thunderbird"}
]
}
]
},
"Red Hat Enterprise Linux-9": {
"package_manager": "rpm-list",
"constraints": [
{
"release": "9",
"pkgs": [
{"reference": "firefox"},
{"reference": "firefox-x11"},
{"reference": "gjs"},
{"reference": "gjs-devel"},
{"reference": "grafana"},
{"reference": "grafana-selinux"},
{"reference": "pcs"},
{"reference": "pcs-snmp"},
{"reference": "polkit"},
{"reference": "polkit-devel"},
{"reference": "polkit-docs"},
{"reference": "polkit-libs"},
{"reference": "sgx-common"},
{"reference": "sgx-libs"},
{"reference": "sgx-mpa"},
{"reference": "sgx-pckid-tool"},
{"reference": "tdx-qgs"},
{"reference": "thunderbird"}
]
}
]
}
};
var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);
if (!empty_or_null(report))
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : report
);
exit(0);
}
else
{
audit(AUDIT_HOST_NOT, 'affected');
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 May 2026 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 3.13.7 - 7.5
CVSS 46.3
EPSS0.0005
SSVC