CVE-2025-68792 tpm2-sessions: Fix out of range indexing in name_size

In the Linux kernel, the following vulnerability has been resolved: tpm2-sessions: Fix out of range indexing in namesize 'namesize' does not have any range checks, and it just directly indexes with TPMALGID, which could lead into memory corruption at worst. Address the issue by only processing...

EUVD-2026-1867

RustCrypto: Signatures has timing side-channel in ML-DSA decomposition...

Improper Verification of Cryptographic Signature

Overview net.gleske:jervis is a Self service Jenkins job generation using Jenkins Job DSL plugin groovy scripts. Reads .jervis.yml and generates a job in Jenkins. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the JWT verification process. ...

Jervis Has a JWT Algorithm Confusion Vulnerability

Vulnerability https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovyL244-L249 The code doesn't validate that the JWT header specifies "alg":"RS256". Impact Depending on the broader system, this could allow JWT...

Astra Linux – Vulnerability found in Linux 6.1, Linux 6.12

In the Linux kernel, the following vulnerability has been resolved: crypto: afalg – Concurrent writes to afalgsendmsg are now disallowed. Issuing two writes to the same afalg socket is problematic, as the data will be interleaved in a unpredictable manner. Additionally, concurrent writes may caus...

Astra Linux – Vulnerability in Ceph

Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and earlier, it is possible to send a JWT with “none” as its JWT algorithm. By doing this, the JWT signature is not checked. The vulnerability lies most likely in the RadosGW OIDC provider. As of the time of...

Hono 数据伪造问题漏洞

Hono is a web framework written in TypeScript from the Hono community. A data forgery issue vulnerability exists in Hono versions prior to 4.11.4 that stems from the JWT validation middleware allowing the JWT header algorithm to influence signature verification, potentially leading to algorithmic...

PT-2026-2798

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.11.4 Description Hono is a Web application framework supporting various JavaScript runtimes. A flaw exists in the JWT verification middleware when using JWK/JWKS, where the alg value in the JWT header could influence...

Hono 数据伪造问题漏洞

Hono is a web framework written in TypeScript from the Hono community. A data forgery issue vulnerability exists in Hono versions prior to 4.11.4 that stems from the JWT validation middleware allowing JWT header algorithmic values to influence signature validation, potentially leading to...

PT-2026-2683

Name of the Vulnerable Software and Affected Versions Windows Kerberos affected versions not specified Description The use of a broken or risky cryptographic algorithm in Windows Kerberos can allow an authorized attacker to disclose information locally. This issue allows attackers to obtain...

PT-2026-2556

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the code doesn't validate that the JWT header specifies "alg":"RS256". This vulnerability is fixed in 2.2...

MiracleLinux 8 : kernel-4.18.0-553.66.1.el8_10 (AXSA:2025-10755:54)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2025-10755:54 advisory. kernel: HID: intel-ish-hid: Fix use-after-free issue in ishtphidremove CVE-2025-21928 kernel: memstick: rtsxusbms: Fix slab-use-after-free in...

GO-2026-4275 Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira

Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is...

CVE-2026-22705

RustCrypto: Signatures offers support for digital signatures, which provide authentication of data using public-key cryptography. Prior to version 0.1.0-rc.2, a timing side-channel was discovered in the Decompose algorithm which is used during ML-DSA signing to generate hints for the signature...

CVE-2026-22705 RustCrypto: Signatures has timing side-channel in ML-DSA decomposition

RustCrypto: Signatures offers support for digital signatures, which provide authentication of data using public-key cryptography. Prior to version 0.1.0-rc.2, a timing side-channel was discovered in the Decompose algorithm which is used during ML-DSA signing to generate hints for the signature...

CVE-2026-22705 RustCrypto: Signatures has timing side-channel in ML-DSA decomposition

RustCrypto: Signatures offers support for digital signatures, which provide authentication of data using public-key cryptography. Prior to version 0.1.0-rc.2, a timing side-channel was discovered in the Decompose algorithm which is used during ML-DSA signing to generate hints for the signature...

CVE-2026-22705 RustCrypto: Signatures has timing side-channel in ML-DSA decomposition

RustCrypto: Signatures offers support for digital signatures, which provide authentication of data using public-key cryptography. Prior to version 0.1.0-rc.2, a timing side-channel was discovered in the Decompose algorithm which is used during ML-DSA signing to generate hints for the signature...

RustCrypto: Signatures 安全漏洞

RustCrypto: Signatures is a cryptographic signature algorithm open-sourced by Rust Crypto. A security vulnerability exists in RustCrypto: Signatures versions prior to 0.1.0-rc.2, which stems from the presence of timing side channels in the Decompose algorithm used during ML-DSA signing...

EUVD-2026-1693

jose-swift has JWT Signature Verification Bypass via None Algorithm...

GHSA-88Q6-JCJG-HVMW jose-swift has JWT Signature Verification Bypass via None Algorithm

Summary An authentication bypass vulnerability allows any unauthenticated attacker to forge arbitrary JWT tokens by setting "alg": "none" in the token header. The library's verification functions immediately return true for such tokens without performing any cryptographic verification, enabling...