EUVD-2026-39560

Certificate policy and RFC 8446 compliance concerns regarding the continued acceptance of SHA-1/MD5 in certificate processing...

EUVD-2026-39532

CANBoat through 6.22, fixed in commit a5a22b7, contains an off-by-one global buffer overflow in the searchForPgn function in analyzer/pgn.c that allows remote attackers to crash the application. Attackers can deliver a crafted NMEA-2000 message with an out-of-range PGN value over CAN bus or...

EUVD-2026-39529

RTKLIB through 2.4.3 contains an off-by-one out-of-bounds read vulnerability in the decodessr3 function at src/rtcm3.c:1446 that allows remote attackers to trigger a global buffer overflow via crafted RTCM3 SSR messages with attacker-controlled signal mode fields. Remote attackers can exploit thi...

CVE-2026-11703

CVE-2026-11703 (wolfSSL) describes missing SNI/ALPN binding on stateful (session-ID) TLS resumption. A cached TLS session could be resumed under a different SNI/ALPN than originally negotiated, potentially carrying cached peer-authentication state across virtual hosts. The public description stat...

CVE-2026-13351

Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated RX network packet buffer allocated from a memory...

CVE-2026-13351

Zephyr’s IPv6 network stack is vulnerable to a denial-of-service caused by fragmented IPv6 packets. In the fragment-header processing path, the RX network packet buffer allocated from a memory slab is not released back to the pool after handling malicious fragments. Repeating such packets exhaust...

EUVD-2026-39350

An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memo...

CVE-2026-40211

An attacker can send crafted DNS over HTTP/3 queries, triggering an ex...

CVE-2026-53275

The CVE-2026-53275 entry describes a Linux kernel IPv6 multicast (mcast) use-after-free in MLD query processing. Specifically, while handling an MLD query, a pointer to the multicast group address is obtained during initial parsing but is later dereferenced after pskb_may_pull() may have realloca...

EUVD-2026-39226

In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: Fix use-after-free when processing MLD queries When processing an MLD query, a pointer to the multicast group address is retrieved when initially parsing the packet. This pointer is later dereferenced without being...

CVE-2026-53268

In the Linux kernel, the following vulnerability has been resolved: n...

CVE-2026-53266

CVE-2026-53266 concerns the Linux kernel netfilter bridge (ebt_snat ARP rewrite) where the ARP sender hardware address rewrite could be written via skb_store_bits() into a non-writable area. The fix ensures the ARP SHA range is writable before reading the ARP header and before performing the writ...

CVE-2026-53266

In the Linux kernel, the following vulnerability has been resolved: n...

CVE-2026-53262

In the Linux kernel, the following vulnerability has been resolved: l...

EUVD-2026-39210

In the Linux kernel, the following vulnerability has been resolved: ipv6: anycast: insert aca into global hash under idev-lock syzbot reported a splat 1: a slab-use-after-free in ipv6chkacastaddr, which walks the global inet6acaddrlst hash under RCU and dereferences a struct ifacaddr6 that has...

CVE-2026-53256

CVE-2026-53256 addresses a Linux kernel Bluetooth RFCOMM use-after-free condition. In rfcomm_get_sock_by_channel(), the listener is selected while holding rfcomm_sk_list.lock but is returned after the lock is dropped and without a reference. rfcomm_connect_ind() then locks the listener, queues a ...

CVE-2026-53253

The CVE-2026-53253 entry concerns the Linux kernel Bluetooth BNEP path. A short BNEP SDU could be processed without validating required bytes in bnep_rx_frame and bnep_rx_control, leading to a potential access of unverified data (KASAN). The fix adds proper length validation by using skb_pull_dat...

CVE-2026-53249

In the Linux kernel, CVE-2026-53249 affects the IPv4 handling of LSRR and SSRR options. The implemented patch restricts setting IPOPT_SSRR and IPOPT_LSRR to users with CAP_NET_RAW, preventing unprivileged applications from steering traffic through attacker-controlled nodes to leak TCP ISN and pot...

EUVD-2026-39200

In the Linux kernel, the following vulnerability has been resolved: ipv4: restrict IPOPTSSRR and IPOPTLSRR options This patch restricts setting Loose Source and Record Route LSRR and Strict Source and Record Route SSRR IP options to users with CAPNETRAW capability. This prevents unprivileged...

EUVD-2026-39197

In the Linux kernel, the following vulnerability has been resolved: sctp: validate cached peer INIT chunk length in COOKIEECHO processing When a listening SCTP server processes a COOKIEECHO chunk, the cached peer INIT chunk embedded after the cookie is parsed and its parameters are later walked b...