5449 matches found
CVE-2026-47180
Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.5, DNSIncoming.decodelabelsatoffset recurses once per DNS-name compression pointer, and a single mDNS packet carrying chained pointers can trigger a RecursionError that escapes DNSIncoming.init, causing...
CVE-2026-47180 Zeroconf: Unbounded recursion in DNS compression-pointer decoder allows LAN-local denial of service
Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.5, DNSIncoming.decodelabelsatoffset recurses once per DNS-name compression pointer, and a single mDNS packet carrying chained pointers can trigger a RecursionError that escapes DNSIncoming.init, causing...
CVE-2026-47180
CVE-2026-47180 affects the Zeroconf Python library. The vulnerability stems from DNSIncoming._decode_labels_at_offset recursing for each DNS-name compression pointer; a crafted mDNS packet with ~1500 chained pointers can cause unbounded recursion, escaping DNSIncoming.init and triggering sustaine...
CVE-2026-45133 Symfony: [Yaml] Harden the parser when handling untrusted input
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, when the parser is exposed to attacker-controlled input, deeply nested mappings or sequences cause both the block-level Parser::parseBlock and inline...
SUSE-SU-2026:2983-1 Security update for jq
This update for jq fixes the following issues: - CVE-2026-32316: integer overflow within the jvpstringappend and jvpstringcopyreplacebad functions can lead to heap buffer overflow when evaluating untrusted jq queries bsc1262044. - CVE-2026-33947: unbounded recursion in functions jvsetpath,...
OPENSUSE-SU-2026:21339-1 Security update for python-mistune
This update for python-mistune fixes the following issues - CVE-2026-59922: quadratic-time parsing on long runs of some markers in formatting.py can lead to DoS bsc1271117. - CVE-2026-59923: HTMLRenderer.safeurl does not block percent-encoded javascript URIs and allows for XSS bsc1271119. -...
OPENSUSE-SU-2026:21343-1 Security update for python-sqlparse
This update for python-sqlparse fixes the following issues: Changes in python-sqlparse: - GHSA-27jp-wm6q-gp25: Limit recursion during parsing of tuples. bsc1268597...
zeroconf has unbounded recursion in DNS compression-pointer decoder that allows LAN-local denial of service
ImpactDNSIncoming.decodelabelsatoffset recurses once per DNS-name compression pointer RFC 1035 §4.1.4. Pointer cycles and label counts were capped, but the chain length of unique forward pointers was not. A single 3 kB mDNS packet carrying 1500 chained pointers drives the recursion past CPython's...
PYSEC-2026-3436 zeroconf has unbounded recursion in DNS compression-pointer decoder that allows LAN-local denial of service
Impact DNSIncoming.decodelabelsatoffset recurses once per DNS-name compression pointer RFC 1035 §4.1.4. Pointer cycles and label counts were capped, but the chain length of unique forward pointers was not. A single 3 kB mDNS packet carrying 1500 chained pointers drives the recursion past CPython'...
OPENSUSE-SU-2026:21318-1 Security update for jq
This update for jq fixes the following issues - CVE-2026-43896: unbounded recursion in jvobjectmergerecursive can lead to C stack exhaustion and a process crash bsc1265075. - CVE-2026-44777: uncontrolled recursion in ordinary module loader when two valid modules include each other can lead to sta...
PT-2026-60045
Impact DNSIncoming. decode labels at offset recurses once per DNS-name compression pointer RFC 1035 §4.1.4. Pointer cycles and label counts were capped, but the chain length of unique forward pointers was not. A single 3 kB mDNS packet carrying 1500 chained pointers drives the recursion past...
CVE-2026-40007
Uncontrolled Recursion, Uncontrolled Resource Consumption vulnerability in Apache IoTDB. When pipeairgapreceiverenabled=true, the IoTDB AirGap receiver's readLength method calls itself recursively each time it recognises the E-language prefix in socket data, with no depth limit. An unauthenticate...
EUVD-2026-42835
Uncontrolled Recursion, Uncontrolled Resource Consumption vulnerability in Apache IoTDB. When pipeairgapreceiverenabled=true, the IoTDB AirGap receiver's readLength method calls itself recursively each time it recognises the E-language prefix in socket data, with no depth limit. An unauthenticate...
CVE-2026-40007 Apache IoTDB: Unauthenticated unbounded recursion in IoTDB AirGap receiver's E-language prefix parser causes per-connection StackOverflowError
Uncontrolled Recursion, Uncontrolled Resource Consumption vulnerability in Apache IoTDB. When pipeairgapreceiverenabled=true, the IoTDB AirGap receiver's readLength method calls itself recursively each time it recognises the E-language prefix in socket data, with no depth limit. An unauthenticate...
CVE-2026-40007
Uncontrolled Recursion, Uncontrolled Resource Consumption vulnerability in Apache IoTDB. When pipeairgapreceiverenabled=true, the IoTDB AirGap receiver's readLength method calls itself recursively each time it recognises the E-language prefix in socket data, with no depth limit. An unauthenticate...
CVE-2026-40007
CVE-2026-40007 affects Apache IoTDB. The issue is an uncontrolled recursion in the AirGap receiver: when pipe_air_gap_receiver_enabled is true, readLength recursively processes E-language prefixes with no depth limit, allowing an unauthenticated attacker to exhaust the receiver thread’s JVM stack...
SUSE CVE-2026-59927
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the Include directive in src/mistune/directives/include.py detects only direct self-includes and not indirect cycles, allowing two markdown files that include each other to trigger unbounded recursion, raise...
p11-kit: Stack exhaustion via unbounded recursion in RPC attribute parsing
A flaw was found in p11-kit. The RPC message attribute parsing functions p11rpcmessagegetattribute and p11rpcmessagegetattributearrayvalue form a mutually-recursive call chain with no recursion depth limit when processing nested CKAWRAPTEMPLATE, CKAUNWRAPTEMPLATE, and CKADERIVETEMPLATE attributes...
CVE-2026-59927
A flaw was found in Mistune, a Python Markdown parser. The Include directive in Mistune's src/mistune/directives/include.py does not properly detect indirect cycles when two Markdown files include each other. This oversight allows for unbounded recursion, which can lead to a RecursionError and...
openSUSE 16 Security Update : jq (openSUSE-SU-2026:21248-1)
The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:21248-1 advisory. - CVE-2025-48060: improper handling of string data in jvstringempty can lead to heap buffer overflow and a crash when processing crafted input...