14 matches found
CVE-2026-44893 Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length
Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final and 4.2.15.Final, when decoding a PP2TYPESSL TLV, HAProxyMessage.readNextTLV first calls header.retainedSliceheader.readerIndex, length and only then...
CVE-2026-44893
Netty CVE-2026-44893 affects netty-codec-haproxy prior to 4.1.135.Final and 4.2.15.Final. During PP2_TYPE_SSL TLV decoding, HAProxyMessage.readNextTLV() retains a slice before reading the client (1 byte) and verify (4 bytes). If TLV length
CVE-2026-28532
FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16t accumulator variable truncates uint32t values returned by the TLVSIZE macro, causing the loop termination condition to fail while pointer...
PT-2026-36172
Name of the Vulnerable Software and Affected Versions FRRouting versions prior to 10.5.3 Description An integer overflow exists in seven OSPF Traffic Engineering and Segment Routing TLV parser functions. A uint16 t accumulator variable truncates uint32 t values returned by the TLV SIZE macro, whi...
CVE-2026-3557
Philips Hue Bridge happairverifyhandler Sub-TLV Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Although authentication is required to exploit th...
(Pwn2Own) Philips Hue Bridge hap_pair_verify_handler Sub-TLV Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Philips Hue Bridge. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the...
PT-2026-23775
Name of the Vulnerable Software and Affected Versions Philips Hue Bridge affected versions not specified Description The Philips Hue Bridge contains a heap-based buffer overflow in the hap pair verify handler function during Sub-TLV parsing. This issue could allow for remote code execution. The...
CVE-2023-53705
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix out-of-bounds access in ipv6findtlv optlen is fetched without checking whether there is more than one byte to parse. It can lead to out-of-bounds access. Found by InfoTeCS on behalf of Linux Verification Center...
DEBIAN-CVE-2023-53705
In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix out-of-bounds access in ipv6findtlv optlen is fetched without checking whether there is more than one byte to parse. It can lead to out-of-bounds access. Found by InfoTeCS on behalf of Linux Verification Center...
CVE-2024-50697
In SunGrow WiNet-SV200.001.00.P027 and earlier versions, when decrypting MQTT messages, the code that parses specific TLV fields does not have sufficient bounds checks. This may result in a stack-based buffer overflow...
PT-2025-2887 · Sungrow · Sungrow Winet-Sv200
Name of the Vulnerable Software and Affected Versions: SunGrow WiNet-SV200 versions 0.001.00.P027 and earlier Description: The issue arises when decrypting MQTT messages, specifically due to insufficient bounds checks in the code that parses certain TLV fields. This may lead to a stack-based buff...
UBUNTU-CVE-2024-44070
An issue was discovered in FRRouting FRR through 10.1. bgpattrencap in bgpd/bgpattr.c does not check the actual remaining stream length before taking the TLV value...
SUSE CVE-2024-0210
Zigbee TLV dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file...
PT-2023-35524 · Git +1 · Opensc
Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided description. Description: The issue is related to a heap-buffer-overflow read error. The crash state indicates involvement of the iasecc parse get tlv, iasecc parse docp, and iase...