DEBIAN-CVE-2026-44296

Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service DoS vulnerability affects Deskflow servers running with TLS enabled the default. When any TCP peer connects to the listening port and its first bytes do not parse as a valid TLS...

CVE-2026-44296

Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service DoS vulnerability affects Deskflow servers running with TLS enabled the default. When any TCP peer connects to the listening port and its first bytes do not parse as a valid TLS...

UBUNTU-CVE-2026-44296

Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service DoS vulnerability affects Deskflow servers running with TLS enabled the default. When any TCP peer connects to the listening port and its first bytes do not parse as a valid TLS...

CVE-2026-44296

Deskflow TLS multiplexer DoS (CVE-2026-44296): prior to 1.26.0.167, remote unauthenticated connections that fail TLS ClientHello cause SecureSocket::secureAccept to sleep for 1s on the multiplexer thread, stalling input delivery to all connected screens. A sustained stream of malformed handshakes...

PT-2026-39574

Zephyr sockets created with IPPROTO TLS 1 3 can still negotiate a TLS 1.2 connection when both TLS versions are enabled in Kconfig, because the socket-level protocol selection is not propagated to mbedTLS e.g. via mbedtls ssl conf min tls version. The ClientHello advertises both versions and the...

Astra Linux - уязвимость в mbedtls

An issue was discovered in Mbed TLS 3.5.1. There is persistent handshake denial if a client sends a TLS 1.3 ClientHello without extensions...

Astra Linux - уязвимость в mbedtls

An issue was discovered in Mbed TLS before 2.28.1 and 3.x before 3.2.0. In some configurations, an unauthenticated attacker can send an invalid ClientHello message to a DTLS server that causes a heap-based buffer over-read of up to 255 bytes. This can cause a server crash or possibly information...

CVE-2026-1584

A flaw was found in gnutls. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted ClientHello message with an invalid Pre-Shared Key PSK binder value during the TLS handshake. This can lead to a NULL pointer dereference, causing the server to crash and...

CVE-2026-1584

A flaw was found in gnutls. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted ClientHello message with an invalid Pre-Shared Key PSK binder value during the TLS handshake. This can lead to a NULL pointer dereference, causing the server to crash and...

Traefik < 2.11.41 / 3.x < 3.6.11 Multiple Vulnerabilities

The version of Traefik installed on the remote macOS host is prior to 2.11.41 or 3.x prior to 3.6.11. It is, therefore, affected by multiple vulnerabilities: - mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across...

CVE-2026-32305

A flaw was found in Traefik, an HTTP reverse proxy and load balancer. A remote attacker can exploit this vulnerability by sending fragmented ClientHello packets during the Transport Layer Security TLS handshake. This causes Traefik's Server Name Indication SNI extraction to fail, leading to a...

GHSA-WVVQ-WGCR-9Q48 Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config

Summary There is a potential vulnerability in Traefik's TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the...

Insecure Default Initialization of Resource

Overview github.com/traefik/traefik/v2/pkg/server/router/tcp is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. Traefik integrates with your existing infrastructure components Docker, Swarm mode, Kubernetes, Marathon, Consul, Etcd, Rancher, Amazon ECS, ... a...

CVE-2026-32305

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records,...

CVE-2026-32305 Traefik mTLS bypass via fragmented ClientHello SNI extraction failure

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records,...

CVE-2026-32305

Traefik (HTTP reverse proxy/load balancer) versions affected: 2.11.40 and earlier; 3.0.0-beta1 through 3.6.11; 3.7.0-ea.1 are vulnerable to a bypass of mTLS enforcement via TLS ClientHello SNI pre-sniffing when ClientHello messages are fragmented. In this scenario, SNI extraction may EOF and retu...

CVE-2026-32305 Traefik mTLS bypass via fragmented ClientHello SNI extraction failure

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records,...

PT-2026-26601

Name of the Vulnerable Software and Affected Versions Traefik versions 2.11.40 and below Traefik versions 3.0.0-beta1 through 3.6.11 Traefik version 3.7.0-ea.1 Description Traefik, an HTTP reverse proxy and load balancer, is susceptible to a mutual TLS mTLS bypass. This occurs due to a flaw in th...

CVE-2025-13476

Rakuten Viber Cloak mode in Android v25.7.2.0g and Windows v25.6.0.0–v25.8.1.0 uses a static and predictable TLS ClientHello fingerprint lacking extension diversity, allowing Deep Packet Inspection DPI systems to trivially identify and block proxy traffic, undermining censorship circumvention...

CVE-2025-13476

Rakuten Viber Cloak mode in Android v25.7.2.0g and Windows v25.6.0.0–v25.8.1.0 uses a static and predictable TLS ClientHello fingerprint lacking extension diversity, allowing Deep Packet Inspection DPI systems to trivially identify and block proxy traffic, undermining censorship circumvention...