CVE-2026-34066 nimiq-blockchain: Peer-triggerable panic during history sync

nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. Prior to version 1.3.0, HistoryStore::puthistorictxns uses an assert! to enforce invariants about HistoricTransaction.blocknumber must be within the macro block being pushed and within the same epoch. During histo...

libpng: LIBPNG buffer overflow

A buffer overflow flaw has been discovered in libpng. An out-of-bounds read vulnerability exists in pngimagereadcomposite when processing palette images with PNGFLAGOPTIMIZEALPHA enabled. The palette compositing code in pnginitreadtransformations incorrectly applies background compositing during...

libpng: LIBPNG buffer overflow

A buffer overflow flaw has been discovered in libpng. An out-of-bounds read vulnerability exists in pngimagereadcomposite when processing palette images with PNGFLAGOPTIMIZEALPHA enabled. The palette compositing code in pnginitreadtransformations incorrectly applies background compositing during...

UBUNTU-CVE-2025-39748

In the Linux kernel, the following vulnerability has been resolved: bpf: Forget ranges when refining tnum after JSET Syzbot reported a kernel warning due to a range invariant violation on the following BPF program. 0: call bpfgetnetnscookie 1: if r0 == 0 goto 2: if r0 & Oxffffffff goto The issue ...

CVE-2025-39748 bpf: Forget ranges when refining tnum after JSET

In the Linux kernel, the following vulnerability has been resolved: bpf: Forget ranges when refining tnum after JSET Syzbot reported a kernel warning due to a range invariant violation on the following BPF program. 0: call bpfgetnetnscookie 1: if r0 == 0 goto 2: if r0 & Oxffffffff goto The issue ...

CVE-2024-41003

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix regsetminmax corruption of fakereg Juan reported that after doing some changes to buzzer 0 and implementing a new fuzzing strategy guided by coverage, they noticed the following in one of the probes: ... 13: 79 r6 = u64 ...

CVE-2024-41003

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix regsetminmax corruption of fakereg Juan reported that after doing some changes to buzzer 0 and implementing a new fuzzing strategy guided by coverage, they noticed the following in one of the probes: ... 13: 79 r6 = u64 ...

Two items having same number of votes above the quorum can lead to invariant violation and unfairness towards either of the item

Lines of code Vulnerability details Impact When an item is dropped or extracted from the maxHeap tree, it is directly done so from the item at the root of the tree i.e. index 0. Although this is expected, if one of the child itemIds have number of votes equal to that of the root node, this would ...

imbalanced or invalid liquidity additions/removals could happen

Lines of code Vulnerability details Impact Potential for loss of funds or manipulation of the pool prices. Specifically: • By allowing deposit from only one of the xToken or yToken, it enables manipulating the price ratio between the tokens in the pool. This could benefit one token over the other...

Royalty Payment Invariant Violation

Lines of code Vulnerability details Impact The vulnerability in the payment mechanism of the smart contract significantly impacts the protocol's functionality. The root cause of the vulnerability is that, despite the README stating an invariant that "Payments can only be made when royalties are...

GHSA-H3MF-4FWP-59C7 VecStorage Deserialize Allows Violation of Length Invariant

The Deserialize implementation for VecStorage did not maintain the invariant that the number of elements must equal nrows ncols. Deserialization of specially crafted inputs could allow memory access beyond allocation of the vector. This flaw was introduced in v0.11.0 086e6e due to the addition of...