3 matches found
CVE-2026-12681
Summary: CVE-2026-12681 affects Google go-attestation prior to 0.6.1. The issue arises in parseEfiSignatureList(): the buffer is not advanced past vendor bytes before reading entries, enabling attacker-controlled vendor header bytes to be appended to the trusted SHA256 hash list. A crafted TPM ev...
CVE-2026-12681
Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended ...
CVE-2026-46116
CVE-2026-46116 affects the Linux kernel xfrm subsystem (xfrm_state). The root cause is a local-use-after-free in __xfrm_state_delete due to unsafe deletions from byseq/byspi hash chains. The patch changes deletions to hlist_del_init_rcu and uses hlist_unhashed() checks, preventing writes after LI...