732 matches found
CVE-2026-47703
Summary: CVE-2026-47703 affects AdGuard Home and its DoQ-to-UDP forwarding path. Prior to version 0.107.75, the backend UDP path could collapse the DNS transaction ID (txid) to 0 on client-triggered DoQ queries, reducing the entropy of the backend tuple from (txid, source-port) to only the source...
CVE-2026-10846
A flaw was found in ldns. When applications use ldns as a resolver over User Datagram Protocol UDP, it fails to properly match the query's destination address and port with the response's source address and port. Additionally, the query ID and question are not matched with the response. This...
FTP Fetch, Windows shellcode stage, Reverse UDP Stager with UUID Support
Fetch and execute an x86 payload from an FTP server. Custom shellcode stage. Connect back to the attacker with UUID Support Module Options msf use payload/cmd/windows/ftp/x86/custom/reverseudp msf payloadreverseudp show actions ...actions... msf payloadreverseudp set ACTION msf payloadreverseudp...
libcurl 8.18.0 < 8.21.0 QUIC UDP Denial of Service (CVE-2026-11352)
The version of libcurl installed on the remote host is 8.18.0 prior to 8.21.0. It is, therefore, affected by a denial of service vulnerability: - An issue in curl's QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client...
CVE-2026-55490
OpenWrt OpenWrt (embedded Linux) mediateces: CVE-2026-55490 affects the Emergency Access Daemon’s handle_send_a() where an integer underflow can lead to a pre-auth DoS by an unauthenticated attacker on the local network via a crafted UDP packet. The underflow causes a bounds-check misstep, then a...
CVE-2026-55490
OpenWrt is a Linux operating system targeting embedded devices. Before v25.12.5, an integer underflow in handlesenda of the Emergency Access Daemon allows any unauthenticated attacker on the local network to crash the daemon by sending a single crafted UDP packet. The message length underflows...
EEF-CVE-2026-54887 DTLS server cookie bypass during startup window due to empty initial cookie secret
Summary Use of Default Cryptographic Key vulnerability in Erlang/OTP ssl DTLS server allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass. On DTLS server startup, dtls\server\connection:initial\hello/3 initializes previous\cookie\secret...
curl: libcurl: curl/libcurl: Remote denial of service via QUIC UDP receive function vulnerability
A flaw was found in curl and libcurl. A malicious HTTP/3 server can exploit an issue in the QUIC UDP receive function by continuously streaming empty UDP datagrams. This can lead to a remote denial of service DoS against a curl or libcurl client, as the helper function discards zero-length UDP...
PT-2026-55282
Name of the Vulnerable Software and Affected Versions Eclipse Wakaama versions prior to snapshot/2026-05-26 Description An unbounded memory allocation issue exists in the CoAP Block1 handler within the coap/block.c file. Unauthenticated remote attackers can cause a denial of service by sending a...
PT-2026-54076
Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 150.0.7871.47 Description A use after free issue exists in the QUIC protocol implementation. This allows a remote attacker to potentially exploit heap corruption by sending malicious network traffic. Use after...
udp: clear skb->dev before running a sockmap verdict
...
GHSA-QH5X-RFWF-RVFV Hysteria vulnerable to server crash when max_datagram_frame_size very small
Summary An authenticated client can crash the Hysteria server by advertising a very small QUIC maxdatagramframesize and then triggering a UDP response from the server. When the server tries to send the UDP response back via QUIC DATAGRAM, quic-go returns DatagramTooLargeError. The server then...
GHSA-VGRC-HQ28-P3XP Hysteria has an authenticated UDP ACL bypass that enables localhost and private-network UDP SSRF
Summary Hysteria's UDP relay treats the destination address as packet-scoped, but ACL and outbound policy are applied only once when a new UDP session is created. After an authenticated client opens a UDP session using an allowed first destination, later packets in the same Session ID can be sent...
CVE-2026-48497 Envoy: Abnormal process termination in DNS UDP filter
Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, in cases where UDP DNS filter is configured with local resolution containing a name with the length of 255 octets or remote resolution for a name of 255 octets long...
CVE-2026-53070
A flaw was found in the Linux kernel's Stream Control Transmission Protocol SCTP over User Datagram Protocol UDP implementation. An issue with managing the transmission context across different processing units could lead to incorrect recursion level detection. This can cause network packets to b...
EUVD-2026-39326
In the Linux kernel, the following vulnerability has been resolved: net: add pskbmaypull to skbgroreceivelist skbgroreceivelist calls skbpullskb, skbgrooffsetskb without first ensuring the data is in the linear area via pskbmaypull. When the skb arrives via napigrofrags, skbheadlen can be 0 all...
CVE-2026-53184
The CVE-2026-53184 issue affects the Linux kernel UDP sockmap path. On UDP receive, skb->dev is repurposed as dev_scratch; when a SK_SKB verdict program uses BPF socket-lookup helpers (bpf_sk_lookup_tcp/udp, bpf_skc_lookup_tcp), skb->dev may still hold the dev_scratch value, and dev_net(skb...
CVE-2026-53184
In the Linux kernel, the following vulnerability has been resolved: udp: clear skb-dev before running a sockmap verdict On the UDP receive path skb-dev is repurposed as devscratch the truesize/state cache set by udpsetdevscratch, through the union struct netdevice dev; unsigned long devscratch; i...
PT-2026-52280
Name of the Vulnerable Software and Affected Versions Linux kernel version 7.1.0-rc6 Description An issue exists in the UDP receive path where the skb-dev field is repurposed as dev scratch via a union in sk buff. When a UDP socket is in a sockmap, the sk psock verdict recv function runs an...
CVE-2026-53070
In the Linux kernel, the following vulnerability has been resolved: sctp: disable BH before calling udptunnelxmitskb udptunnelxmitskb / udptunnel6xmitskb are expected to run with BH disabled. After commit 6f1a9140ecda "add xmit recursion limit to tunnel xmit functions", on the path:...