JLSEC-2026-477

zlib before 1.2.12 allows memory corruption when deflating i.e., when compressing if the input has many distant matches...

EUVD-2026-28298

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init reconstructs strings from a prefix-compressed...

GHSA-FRH3-6PV6-RC8J Bandit's unbounded WebSocket inflate causes BEAM OOM with a single frame

Summary When a Bandit-fronted server has explicitly enabled WebSocket permessage-deflate compress: true, an unauthenticated client can OOM the BEAM with a single 6 MiB WebSocket frame. Bandit's inflate step has no output-size cap, so a small high-ratio compressed frame e.g. zeros, 1024:1 ratio...

GHSA-Q2QQ-HMJ6-3WPP hickory-proto vulnerable to CPU exhaustion during message encoding due to O(n²) name compression

During message encoding, hickory-proto's BinEncoder stores pointers to labels that are candidates for name compression in a Vec. The name compression logic then searches for matches with a linear scan. A malicious message with many records can both introduce many candidate labels, and invoke this...

hickory-proto vulnerable to CPU exhaustion during message encoding due to O(n²) name compression

During message encoding, hickory-proto's BinEncoder stores pointers to labels that are candidates for name compression in a Vec. The name compression logic then searches for matches with a linear scan. A malicious message with many records can both introduce many candidate labels, and invoke this...

ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +3524 more potentially affected by CVE-2026-42587 via io.netty:netty-codec-compression (>=4.2.0.Alpha3 <=4.2.12.Final)

io.netty:netty-codec-compression MAVEN version =4.2.0.Alpha3, =0.1.0, =0.1.0, =4.7.4, =4.7.4, =4.7.3, =4.7.3, =4.7.3, =4.7.3, =4.7.3, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.2 and more Source cves: CVE-2026-42587 Source advisory: SNYK:JAVA-IONETTY-16438931...

Improper Handling of Highly Compressed Data (Data Amplification)

Overview Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification in the HttpContentDecompressor and DelegatingDecompressorFrameListener components when the Content-Encoding header is set to br, zstd, or snappy. An attacker can exhaust...

ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +3524 more potentially affected by CVE-2026-42583 via io.netty:netty-codec-compression (>=4.2.0.Alpha3 <=4.2.12.Final)

io.netty:netty-codec-compression MAVEN version =4.2.0.Alpha3, =0.1.0, =0.1.0, =4.7.4, =4.7.4, =4.7.3, =4.7.3, =4.7.3, =4.7.3, =4.7.3, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.2 and more Source cves: CVE-2026-42583 Source advisory: SNYK:JAVA-IONETTY-16438323...

ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +3524 more potentially affected by CVE-2026-42583 via io.netty:netty-codec-compression (>=4.2.0.Alpha3 <=4.2.12.Final)

io.netty:netty-codec-compression MAVEN version =4.2.0.Alpha3, =0.1.0, =0.1.0, =4.7.4, =4.7.4, =4.7.3, =4.7.3, =4.7.3, =4.7.3, =4.7.3, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.2 and more Source cves: CVE-2026-42583 Source advisory: OSV:GHSA-MJ4R-2HFC-F8P6...

PT-2026-38334

Name of the Vulnerable Software and Affected Versions OpenEXR versions 3.0.0 through 3.2.8 OpenEXR versions 3.3.0 through 3.3.10 OpenEXR versions 3.4.0 through 3.4.10 Description The IDManifest::init function reconstructs strings from a prefix-compressed representation. When a previous string...

PT-2026-38348

🟠 Hickory-DNS, CPU exhaustion due to On² name compression, CVE-2024-53618 Moderate https://t.co/cx7x7R6VZX...

CVE-2026-42216

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init reconstructs strings from a prefix-compressed...

CVE-2026-43179

A flaw was found in the Linux kernel's EROFS filesystem. An attacker could provide a specially crafted EROFS image with metadata compression enabled. This could trigger incorrect early returns within the kernel, leading to folio reference leaks. While this issue does not cause system crashes or...

EUVD-2026-27741

In the Linux kernel, the following vulnerability has been resolved: erofs: fix incorrect early exits for invalid metabox-enabled images Crafted EROFS images with metadata compression enabled can trigger incorrect early returns, leading to folio reference leaks. However, this does not cause system...

CVE-2026-43179

In the Linux kernel, the following vulnerability has been resolved: erofs: fix incorrect early exits for invalid metabox-enabled images Crafted EROFS images with metadata compression enabled can trigger incorrect early returns, leading to folio reference leaks. However, this does not cause system...

CVE-2026-43179

Summary: CVE-2026-43179 affects the Linux kernel’s EROFS filesystem. The issue stems from incorrect early exits for invalid metabox-enabled images with metadata compression, which can trigger folio reference leaks. The problem does not apparently cause system crashes or other severe issues accord...

SUSE CVE-2026-31767

In the Linux kernel, the following vulnerability has been resolved: drm/i915/dsi: Don't do DSC horizontal timing adjustments in command mode Stop adjusting the horizontal timing values based on the compression ratio in command mode. Bspec seems to be telling us to do this only in video mode, and...

PT-2026-37519

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description Crafted EROFS images with metadata compression enabled can trigger incorrect early returns, which leads to folio reference leaks. Folio reference leaks occur when the system fails to...

Linux kernel 安全漏洞

The Linux kernel is the core of the open-source operating system Linux, developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from insufficient TLB invalidation during memory compression in the Alpha architecture. This...

Twisted has a Denial of Service (DoS) in twisted.names via Crafted DNS Compression Pointer Chains

Details The twisted.names module is vulnerable to a Denial of Service DoS attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previo...