151 matches found
EUVD-2026-41412
The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1.3 ClientHello pre-shared key extension have equal length before passing them to the session ticket handler. In tlshandshake13:handlepresharedkey/3, an OfferedPreSharedKeys record with a...
CVE-2026-55952
The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1.3 ClientHello pre-shared key extension have equal length before passing them to the session ticket handler. In tlshandshake13:handlepresharedkey/3, an OfferedPreSharedKeys record with a...
CVE-2026-55952 TLS 1.3 server denial of service via malformed ClientHello pre-shared key extension
The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1.3 ClientHello pre-shared key extension have equal length before passing them to the session ticket handler. In tlshandshake13:handlepresharedkey/3, an OfferedPreSharedKeys record with a...
CVE-2026-55952 TLS 1.3 server denial of service via malformed ClientHello pre-shared key extension
The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1.3 ClientHello pre-shared key extension have equal length before passing them to the session ticket handler. In tlshandshake13:handlepresharedkey/3, an OfferedPreSharedKeys record with a...
CVE-2026-55952
Summary: The Erlang/OTP ssl module is vulnerable to a TLS 1.3 denial of service due to a mismatch between PSK identity list and binder list lengths in the ClientHello extension. In tls_handshake_1_3:handle_pre_shared_key/3, an OfferedPreSharedKeys record with unequal identities/binders is passed ...
JLSEC-2026-518
GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3. The earliest affected version is 3.6.4 2018-09-24 because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS...
SUSE-SU-2026:0790-1 Security update for go1.25-openssl
This update for go1.25-openssl fixes the following issues: Update to version 1.25.7. Security issues fixed: - CVE-2025-61732: cmd/go: discrepancy between Go and C/C++ comment parsing allows for C code smuggling bsc1257692. - CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated...
Medium: containerd
Issue Overview: net/http: memory exhaustion in Request.ParseForm CVE-2025-61726 archive/zip: denial of service when parsing arbitrary ZIP archives CVE-2025-61728 crypto/tls: handshake messages may be processed at the incorrect encryption level CVE-2025-61730 crypto/tls: Config.Clone copies...
Medium: oci-add-hooks
Issue Overview: net/http: memory exhaustion in Request.ParseForm CVE-2025-61726 archive/zip: denial of service when parsing arbitrary ZIP archives CVE-2025-61728 crypto/tls: handshake messages may be processed at the incorrect encryption level CVE-2025-61730 crypto/tls: Config.Clone copies...
Amazon Linux 2023 : docker (ALAS2023-2026-1376)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1376 advisory. net/http: memory exhaustion in Request.ParseForm CVE-2025-61726 archive/zip: denial of service when parsing arbitrary ZIP archives CVE-2025-61728 crypto/tls: handshake messages may be processe...
Medium: runc
Issue Overview: net/http: memory exhaustion in Request.ParseForm CVE-2025-61726 archive/zip: denial of service when parsing arbitrary ZIP archives CVE-2025-61728 crypto/tls: handshake messages may be processed at the incorrect encryption level CVE-2025-61730 crypto/tls: Config.Clone copies...
Medium: docker
Issue Overview: net/http: memory exhaustion in Request.ParseForm CVE-2025-61726 archive/zip: denial of service when parsing arbitrary ZIP archives CVE-2025-61728 crypto/tls: handshake messages may be processed at the incorrect encryption level CVE-2025-61730 crypto/tls: Config.Clone copies...
Security update for go1.25
This update for go1.25 fixes the following issues: Update to version 1.25.7. Security issues fixed: CVE-2025-61732: cmd/go: discrepancy between Go and C/C++ comment parsing allows for C code smuggling bsc1257692. CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated session tick...
CVE-2025-68121
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the...
CVE-2025-68121
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the...
Amazon Linux 2023 : amazon-ecr-credential-helper (ALAS2023-2026-1370)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1370 advisory. net/http: memory exhaustion in Request.ParseForm CVE-2025-61726 archive/zip: denial of service when parsing arbitrary ZIP archives CVE-2025-61728 crypto/tls: handshake messages may be processe...
Security update for go1.25
This update for go1.25 fixes the following issues: Update to go1.25.6 released 2026-01-15 bsc1244485 Security fixes: CVE-2025-61730: crypto/tls: handshake messages may be processed at the incorrect encryption level bsc1256821. CVE-2025-68119: cmd/go: unexpected code execution when invoking...
Golang 1.25.x < 1.25.6 Multiple Vulnerabilities
The version of Golang running on the remote host is 1.25.x prior to 1.25.6. It is, therefore, affected by multiple vulnerabilities as referenced in advisory. - bypass of flag sanitization can lead to arbitrary code execution. CVE-2025-61731 - unexpected code execution when invoking toolchain...
CVE-2022-38153
An issue was discovered in wolfSSL before 5.5.0 when --enable-session-ticket is used; however, only version 5.3.0 is exploitable. Man-in-the-middle attackers or a malicious server can crash TLS 1.2 clients during a handshake. If an attacker injects a large ticket more than 256 bytes into a...
EUVD-2017-15206
Malware in sbrugna...