RHEL 9 : python3.11 (RHSA-2026:14653)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:14653 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level...

RHEL 9 : python3.11 (RHSA-2026:14652)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:14652 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level...

MiracleLinux 8 : python3-3.6.8-76.el8_10.ML.1 (AXSA:2026-547:06)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-547:06 advisory. python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules CVE-2026-6100 python: cpython: Python:...

PT-2026-38379

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.133.Final Netty versions prior to 4.2.13.Final Description HttpContentDecompressor and DelegatingDecompressorFrameListener used for HTTP/2 connections utilize a maxAllocation parameter to limit decompression buffer...

GHSA-PGGP-6C3X-2XMX Snappier has an infinite loop during SnappyStream decompression with malformed framed input

Summary Snappier.SnappyStream enters an uncatchable infinite loop when decompressing a malformed framed-format Snappy stream as small as 15 bytes. Details The hang manifests as a userspace busy loop with SnappyStreamDecompressor.Decompress repeatedly calling Crc32CAlgorithm.Append. The exact...

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop in the SnappyStreamDecompressor class, when decompressing malformed framed-format input. An attacker can cause the application to exhaust system resources by providing malicious stream data as small as 15 bytes PoC using...

Snappier has an infinite loop during SnappyStream decompression with malformed framed input

Summary Snappier.SnappyStream enters an uncatchable infinite loop when decompressing a malformed framed-format Snappy stream as small as 15 bytes. Details The hang manifests as a userspace busy loop with SnappyStreamDecompressor.Decompress repeatedly calling Crc32CAlgorithm.Append. The exact...

avro-oom-compression-poc

Avro Decompression Bomb PoC CWE-409 Proof of concept demons...

PT-2026-38299

Name of the Vulnerable Software and Affected Versions Snappier affected versions not specified Description A denial of service issue exists where Snappier.SnappyStream enters an uncatchable infinite loop when decompressing a malformed framed-format Snappy stream. This occurs when the...

openmrs-core 路径遍历漏洞

OpenMRS-core is an open-source electronic health record system developed by OpenMRS. Versions of OpenMRS-core prior to 2.7.8, as well as versions 2.8.0 to 2.8.5, have a path traversal vulnerability. This vulnerability stems from the module upload endpoint’s automatic decompression of .omod archiv...

Inefficient Algorithmic Complexity

Overview Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity through the decode function in the DNS name decompression process. An attacker can cause the server to hang and...

Important: Red Hat Security Advisory: python3.11 security update

An update for python3.11 is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

Security Bulletin: Vulnerability in urllib3 affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.

Summary Potential vulnerability in urllib3 has been identified that affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component. . The vulnerability have been addressed. Refer to details for additional information. Vulnerabili...

JLSEC-2026-422 When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses...

When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the CURLOPTACCEPTENCODING option, using zlib 1.2.0.3 or older, an attacker-controlled integer overflow would make libcurl perform a buffer overflow...

JLSEC-2026-393

curl 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually...

JLSEC-2026-404

An allocation of resources without limits or throttling vulnerability exists in curl v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this...

Security Bulletin: Denial of Service in urllib3 via Unbounded Decompression of Redirect Responses

Summary urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on t...

Security Bulletin:urllib3 Unbounded Decompression Chain Enables Denial of Service

Summary urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massiv...

CVE-2026-6535

A flaw was found in Wireshark's dissection engine. A remote attacker could exploit this vulnerability by sending a specially crafted packet. This could trigger a zlib decompression crash, leading to a denial of service and making the application unresponsive or causing it to terminate unexpectedl...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerabilities have been resolved: f2fs: fixed scheduling issues during atomic decompression operations 16.945668 C0 Call trace: 16.945678 C0 dumpbacktrace+0x110/0x204 16.945706 C0 dumpstacklvl+0x84/0xbc 16.945735 C0 schedulebug+0xb8/0x1ac 16.945756 C0...