OESA-2026-2491 libvncserver security update

libvncserver is a set of programs using the RFB Remote Frame Buffer protocol. They are designed to "export" a frame buffer via net: you set up a server and can connect to it via VNC viewers. If the server supports WebSockets which LibVNCServer does, you can also connect using an in-browser VNC...

UBUNTU-CVE-2026-44988

LibVNCClient is a library for easy implementation of a VNC client. In 0.9.15 and earlier, LibVNCClient's Tight encoding decoder uses fixed-size 2048-pixel scratch buffers for the Gradient filter, but it does not reject Tight rectangles whose width is larger than 2048 pixels. A malicious VNC serve...

EUVD-2026-32525

LibVNCClient is a library for easy implementation of a VNC client. In 0.9.15 and earlier, LibVNCClient's Tight encoding decoder uses fixed-size 2048-pixel scratch buffers for the Gradient filter, but it does not reject Tight rectangles whose width is larger than 2048 pixels. A malicious VNC serve...

ROS-20260524-73-0038

A vulnerability in the crc32combine64 and crc32combinegen64 functions of the open source lossless data compression library zlib is related to the fact that the x2nmodp function can perform right shifts in a loop without a termination condition. Exploitation of the vulnerability could allow an...

ROS-20260524-73-0039

Vulnerability in perl-Compress-Raw-Zlib related to incorrect input of configuration data. The vulnerability can be exploited remotely...

Security Bulletin: IBM i is Affected by an Improper Validation Vulnerability in zlib [CVE-2026-27171]

Summary Zlib for IBM i is vulnerable to increased CPU consumption when using functions crc32combine64 and crc32combine64gen64 CVE-2026-27171 as described in the vulnerability details section. Vulnerability Details CVEID:CVE-2026-27171 DESCRIPTION: zlib before 1.3.2 allows CPU consumption via...

Fedora 42 : mysql8.4 (2026-a4e0e8211d)

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-a4e0e8211d advisory. MySQL 8.4.9 Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.4/en/news-8-4-9.html Known issue: s390x-specific issue - zlib with DFLTCC...

Astra Linux - уязвимость в zlib, libz-mingw-w64

Zlib versions up to 1.2.12 have a heap-based buffer over-read or buffer overflow issue in the inflate function within inflate.c, due to a large gzip header extra field. NOTE: Only applications that call inflateGetHeader are affected. Some common applications bundle the affected Zlib source code,...

Astra Linux - уязвимость в netty

In Netty 4.1.x before 4.1.46, the ZlibDecoders allowed unbounded memory allocation when decoding Zlib-encoded byte streams. An attacker could send a large Zlib-encoded byte stream to the Netty server, forcing the server to allocate all of its available memory to a single decoder...

Fedora 44 : mysql8.4 (2026-92a75ddb71)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-92a75ddb71 advisory. MySQL 8.4.9 Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.4/en/news-8-4-9.html Known issue: s390x-specific issue - zlib with DFLTCC...

Fedora 44 : mysql8.0 (2026-1704f705ab)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-1704f705ab advisory. MySQL 8.0.46 Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-46.html Known issue: s390x-specific issue - zlib with DFLTCC...

Unchecked `CryptoVec` allocation and growth handling

CryptoVec used unchecked capacity growth, unchecked length arithmetic, and unsafe allocation and locking paths. In affected russh releases, attacker-controlled input could reach these code paths through buffer resizing operations. Two affected reachability paths were identified: Current russh...

CVE-2026-43970 Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame

Improper Handling of Highly Compressed Data Data Amplification vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cowspdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY...

CVE-2026-43970 Decompression Bomb in cow_spdy:inflate/2 Allows Memory Exhaustion via Crafted SPDY Frame

Improper Handling of Highly Compressed Data Data Amplification vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion. cowspdy:inflate/2 in cowlib passes peer-supplied compressed bytes directly to zlib:inflate/2 with no output size bound. The SPDY...

Unity Linux 20.1070e Security Update: netty (UTSA-2026-017795)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017795 advisory. The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large...

Unity Linux 20.1070e Security Update: gstreamer1-plugins-good (UTSA-2026-017386)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017386 advisory. DOS / potential heap overwrite in qtdemux using zlib decompression. Integer overflow in qtdemux element in qtdemuxinflate function which causes a segfault, or could...

JLSEC-2026-479

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip464 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an...

JLSEC-2026-480 zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because...

zlib before 1.3.2 allows CPU consumption via crc32combine64 and crc32combinegen64 because x2nmodp can do right shifts within a loop that has no termination condition...

CLSA-2026-1778051357 java-21-openjdk: Fix of 8 CVEs

Update to jdk-21.0.11+10 GA - Resolves Oracle April 2026 CPU CVEs: CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-34268, CVE-2026-34282 - CVE-2026-23865: integer overflow in ttvarloaditemvariationstore in bundled FreeType fixed via bump to 2.14.2 - Update...

JLSEC-2026-422 When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses...

When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPTACCEPTENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow...