EUVD-2026-39267

In the Linux kernel, the following vulnerability has been resolved: IB/isert: Reject login PDUs shorter than ISERHEADERSLEN In drivers/infiniband/ulp/isert/ibisert.c, isertloginrecvdone computes the login request payload length as wc-bytelen minus ISERHEADERSLEN with no lower bound, and loginreql...

EUVD-2026-38712

In the Linux kernel, the following vulnerability has been resolved: netfilter: nflog: validate MAC header was set before dumping it The fallback path of dumpmacheader guards the MAC header access only with "skb-macheader != skb-networkheader", without checking skbmacheaderwasset. When the MAC...

CVE-2026-10658

A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In btisorecv subsys/bluetooth/host/iso.c, when processing PB=START/SINGLE fragments, the code pulls a TS SDU header 8 bytes, ts=1 or a non-TS SDU header 4 bytes, ts=0 without firs...

CVE-2026-10658 Bluetooth Host ISO RX Missing SDU Header Length Validation in bt_iso_recv() Leads to DoS

A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In btisorecv subsys/bluetooth/host/iso.c, when processing PB=START/SINGLE fragments, the code pulls a TS SDU header 8 bytes, ts=1 or a non-TS SDU header 4 bytes, ts=0 without firs...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: xfrm: iptfs – validates the length of the inner IPv4 header in the IPTFS payload. Validation of the totlen and ihl fields of the inner IPv4 packet has been added to the process of parsing decrypted IPTFS payloads in...

Astra Linux – Vulnerability in Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: can: gsusb: gsusbreceivebulkcallback: Check actuallength before accessing the header. The driver expects to receive a struct gshostframe in gsusbreceivebulkcallback. Use structgroup to describe the header of the struct gshostfram...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: idpf: The issue of null-ptr-deref in idpffeaturescheck has been fixed. idpffeaturescheck is used to validate the TX packet. The length of the skb header is compared with the value supported by the hardware, which is received from...

GHSA-5W86-C3RQ-VJJ7 Netty: Unbounded pre-allocation in RedisArrayAggregator from RESP array length

Summary RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken from the wire before the corresponding child messages exist. A small malicious header can claim a huge initial capacity. Details The...

Netty: Unbounded pre-allocation in RedisArrayAggregator from RESP array length

Summary RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken from the wire before the corresponding child messages exist. A small malicious header can claim a huge initial capacity. Details The...

CVE-2026-46321

A flaw was found in the Linux kernel. A local attacker with access to the tun/tap device can exploit this vulnerability. By sending network frames shorter than the expected header length, the system fails to free allocated memory pages, leading to memory leaks. This can exhaust system memory,...

CVE-2026-46321

In the Linux kernel, the following vulnerability has been resolved: tun: free page on short-frame rejection in tunxdpone tunxdpone returns -EINVAL on a frame shorter than ETHHLEN without freeing the page that vhostnetbuildxdp allocated for it. tunsendmsg discards that -EINVAL and still returns...

PT-2026-47757

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A memory leak occurs in the tap get user xdp function. When a frame is shorter than ETH HLEN, the function returns -EINVAL; similarly, it returns -ENOMEM if build skb fails. In both...

CVE-2026-41178 OpenTelemetry-Go's baggage parsing no longer caps raw header length

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes Parse to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue...

CVE-2026-41178

CVE-2026-41178 affects OpenTelemetry-Go baggage parsing. The issue arises from removal of raw-length rejection in baggage header parsing, causing Parse to fully process very large or invalid baggage headers and log errors, enabling potential DoS via CPU/memory and log amplification. Concrete deta...

EUVD-2026-34021

FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read in the IPv4 packet parser. In src/simplepacketparserng.cpp, after validating that the packet contains at least sizeofipv4headert bytes 20 bytes, the code advances the localpointer by '4 ipv4header-getihl' line 164 without...

CVE-2026-48682

FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read in the IPv4 packet parser. In src/simplepacketparserng.cpp, after validating that the packet contains at least sizeofipv4headert bytes 20 bytes, the code advances the localpointer by '4 ipv4header-getihl' line 164 without...

DEBIAN-CVE-2026-48682

FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read in the IPv4 packet parser. In src/simplepacketparserng.cpp, after validating that the packet contains at least sizeofipv4headert bytes 20 bytes, the code advances the localpointer by '4 ipv4header-getihl' line 164 without...

TP-Link Tapo C200 安全漏洞

The TP-Link Tapo C200 is a webcam device produced by TP-Link Corporation. The TP-Link Tapo C200 v5 version has a security vulnerability. This vulnerability stems from an improper validation of the length of the Authorization header field during RTSP authentication processing. This can lead to a...

CVE-2026-48682

FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read in the IPv4 packet parser. In src/simplepacketparserng.cpp, after validating that the packet contains at least sizeofipv4headert bytes 20 bytes, the code advances the localpointer by '4 ipv4header-getihl' line 164 without...

Bluetooth: virtio_bt: validate rx pkt_type header length

...