GHSA-3C37-WWVX-H642 cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads

Summary - The cbor2 library is vulnerable to a Denial of Service DoS attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. - This vulnerability affects both the pure Python implementation and the C extension cbor2. The C extension correctly uses Python's C-API for...

CVE-2026-26209 cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads

cbor2 provides encoding and decoding for the Concise Binary Object Representation CBOR serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service DoS attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the...

GO-2026-4728 Tillitis TKey Client has an Error in Protocol Implementation in github.com/tillitis/tkeyclient

Tillitis TKey Client has an Error in Protocol Implementation in github.com/tillitis/tkeyclient...

Chromium: CVE-2026-4461 Inappropriate implementation in V8

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

[SECURITY] Fedora 43 Update: python-scitokens-1.9.7-1.fc43

SciToken reference implementation library...

[SECURITY] Fedora 44 Update: python-ujson-5.12.0-1.fc44

UltraJSON is an ultra fast JSON encoder and decoder written in pure C with bindings for Python...

CVE-2026-4447

An inappropriate implementation flaw was found in the V8 component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=486657483...

CVE-2026-4461

An inappropriate implementation flaw was found in the V8 component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=490558172...

CVE-2026-32953

Tillitis TKey Client package is a Go package for a TKey client. Versions 1.2.0 and below contain a critical bug in the tkeyclient Go module which causes 1 out of every 256 User Supplied Secrets USS to be silently ignored, producing the same Compound Device Identifier CDI—and thus the same key...

CVE-2026-32953

Tillitis TKey Client package is a Go package for a TKey client. Versions 1.2.0 and below contain a critical bug in the tkeyclient Go module which causes 1 out of every 256 User Supplied Secrets USS to be silently ignored, producing the same Compound Device Identifier CDI—and thus the same key...

Security update for chromium (important)

openSUSE Security Update: Security update for chromium Announcement ID: openSUSE-SU-2026:0084-1 Rating: important References: 1259530 1259648 1259659 Cross-References: CVE-2026-3909 CVE-2026-3910 CVE-2026-3913 CVE-2026-3914 CVE-2026-3915 CVE-2026-3916 CVE-2026-3917 CVE-2026-3918 CVE-2026-3919...

CVE-2026-3644

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update, |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.jsoutput lacked the output validation applie...

CVE-2026-32314 Yamux remote Panic via malformed Data frame with SYN set and len = 262145

Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULTCREDIT e.g. 262145. On the first packet of a new...

CVE-2026-32314 Yamux remote Panic via malformed Data frame with SYN set and len = 262145

Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULTCREDIT e.g. 262145. On the first packet of a new...

CVE-2026-32314

Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULTCREDIT e.g. 262145. On the first packet of a new...

Yamux vulnerable to remote Panic via malformed WindowUpdate credit

Sumary The Rust implementation of Yamux accepts WindowUpdate credit values from the remote peer and applies them to per-stream send-window state. A specially crafted WindowUpdate can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This ...

CVE-2026-3910

An inappropriate implementation flaw was found in the V8 component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=491410818...

chromium -- security fixes

Chrome Releases reports: This update includes 2 security fixes: 491421267 High CVE-2026-3909: Out of bounds write in Skia. Reported by Google on 2026-03-10 491410818 High CVE-2026-3910: Inappropriate implementation in V8. Reported by Google on 2026-03-10...

KLA90940 DoS vulnerability in Google Chrome

Inappropriate implementation vulnerability was found in Google Chrome. Malicious users can exploit this vulnerability to execute arbitrary code, cause denial of service. Original advisories Stable Channel Update for Desktop Exploitation Public exploits exist for this vulnerability. Related produc...

Stable Channel Update for Desktop

The Stable channel has been updated to 146.0.7680.75/76 for Windows/Mac and 146.0.7680.75 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log Security Fixes and Rewards Updated 2026-03-13: The previous version of these notes...