CVE-2026-48514 MessagePack-CSharp: Unity unsafe blit formatter allocates from unbounded byte length

MessagePack for C is a MessagePack serializer for C. Prior to 2.5.301 and 3.1.7, UnsafeBlitFormatterBase.Deserialize reads an attacker-controlled byteLength from an extension payload and allocates an array based on that value before validating it against the extension header length or remaining...

CVE-2026-48515

Summary: CVE-2026-48515 affects MessagePack-CSharp. Before versions 2.5.301 and 3.1.7, multi-dimensional array formatters allocate T[,] / T[,,] / T[,,,] using dimension lengths read from the payload before validating the encoded element count, enabling large heap allocations. Impact: potential hi...

OESA-2026-2627 nginx security update

NGINX is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. Security Fixes: Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's modhttp leads to denial of service via malicious HTTP requests. This issue affects...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to insufficient validation in the DCM decoder. An attacker can cause the application to process images with invalid dimensions, potentially leading to application crashes or denia...

Allocation of Resources Without Limits or Throttling

Overview Magick.NET-Q8-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

Allocation of Resources Without Limits or Throttling

Overview Magick.NET-Q16-HDRI-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

CVE-2026-48107

Russh is a Rust SSH client & server library. From version 0.37.0 to before version 0.61.0, in the russh client keyboard-interactive authentication path, a malicious SSH server could send a USERAUTHINFOREQUEST with an attacker-controlled prompt count, and the client would use that raw count direct...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. An attacker can exhaust system resources by sending specially crafted requests over the network, resulting in service unavailability for legitimate users. Remediation Upgrade...

K000161639: Apache HTTP Server mod_http2 (HTTP/2 Bomb) vulnerability CVE-2026-49975

Security Advisory Description Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's modhttp leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67. CVE-2026-49975 Impact For products with None in the...

CVE-2026-49975

Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's modhttp leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67...

CVE-2026-5755

Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.2, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to validate the TIFF IFD offset in the image header before allocating memory, which allows authenticated users with file upload or posting permissions to cause a denial of service serve...

SAMSUNG Escargot 安全漏洞

SAMSUNG Escargot is a memory-optimized JavaScript engine developed by South Korea’s Samsung Corporation. It is suitable for mid-range devices such as smartphones, tablets, and TVs. SAMSUNG Escargot has a security vulnerability that stems from excessively large memory allocation values, which may...

GHSA-2C5C-CHWR-9HQW Netty HTTP/3 QPACK literal unbounded allocation

Summary When Netty decodes HTTP/3 headers, it sometimes runs new bytelength using a length from the wire before checking that many bytes are really there. A small malicious header can claim a huge length on the order of a gigabyte. Details When decoding header blocks, the non-Huffman branch of...

EUVD-2026-27243

Memory Allocation with Excessive Size Value vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue...

Security Bulletin: IBM Guardium Data Protection is affected by a single vulnerability (CVE-2025-8916)

Summary IBM Guardium Data Protection has addressed this vulnerability in an update. Vulnerability Details CVEID:CVE-2025-8916 DESCRIPTION: Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All API modules, Legion of the Bouncy...

openSUSE 16 Security Update : qemu (openSUSE-SU-2026:20567-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20567-1 advisory. Update to version 10.0.9. Security issues fixed: - CVE-2026-3196: unbounded memory allocation and host denial-of-service via PCMINFO requests se...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.22 contained security vulnerabilities. These vulnerabilities stemmed from unlimited memory allocation issues in remote media HTTP error handling, which could lead to excessive...

go-ipld-prime 安全漏洞

go-ipld-prime is an implementation of the IPLD open-source specification interface. Versions of go-ipld-prime prior to 0.22.0 contained security vulnerabilities. These vulnerabilities stemmed from the DAG-CBOR decoder using the set size declared in the CBOR header as a hint for Go’s pre-allocatio...

CVE-2026-28253

A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition...

Allocation of Resources Without Limits or Throttling

Overview Microsoft.AspNetCore.App.Runtime.linux-musl-arm is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or...