Security update for ovmf (important)

openSUSE security update: security update for ovmf ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20875-1 Rating: important References: bsc1261469 bsc1261476 bsc1261477 bsc1261478 Cross-References: CVE-2026-25833 CVE-2026-25834 CVE-2026-25835...

Astra Linux - уязвимость в mbedtls

Before version 2.16.5 of Arm Mbed TLS, attackers could obtain sensitive information an RSA private key by monitoring cache usage during an import process...

Astra Linux – Vulnerability in mbedtls

A vulnerability was discovered in Arm Mbed TLS before versions 2.16.6 and 2.7.x, prior to 2.7.15. An attacker who can obtain precise side-channel measurements can recover the long-term ECDSA private key by 1 reconstructing the projective coordinates of the result of scalar multiplication by...

Fedora 44 : mbedtls (2026-3a9536df40)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-3a9536df40 advisory. Update to 3.6.6 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested fo...

EUVD-2025-20080

Malicious code in bioql PyPI...

EUVD-2025-20079

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2025-48965

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Mbed TLS before 3.6.4 has a NULL pointer dereference because mbedtlsasn1storenameddata can trigger conflicting data with val.p of NULL but val.len greater than...

CVE-2025-49601

A flaw was found in mbedtls. The mbedtlslmsimportpublickey function fails to validate input buffer size before reading a 32-bit field, potentially leading to an out-of-bounds read when processing truncated input. This flaw allows a network-based attacker to trigger this condition by providing a...

Fedora 42 : mbedtls (2025-d3585d3323)

The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-d3585d3323 advisory. - Update to 3.6.4 Release notes: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.4 Tenable has extracted the preceding description block directl...

CVE-2025-49600

In MbedTLS 3.3.0 before 3.6.4, mbedtlslmsverify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS Leighton-Micali Signature forgery in a fault scenario. Specifically, unchecked return values in mbedtlslmsverify allow an attacker who can induce ...

CVE-2025-49601

In MbedTLS 3.3.0 before 3.6.4, mbedtlslmsimportpublickey does not check that the input buffer is at least 4 bytes before reading a 32-bit field, allowing a possible out-of-bounds read on truncated input. Specifically, an out-of-bounds read in mbedtlslmsimportpublickey allows context-dependent...

CVE-2025-49600

In MbedTLS 3.3.0 before 3.6.4, mbedtlslmsverify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS Leighton-Micali Signature forgery in a fault scenario. Specifically, unchecked return values in mbedtlslmsverify allow an attacker who can induce ...

CVE-2025-49600

In MBedTLS, CVE-2025-49600 affects 3.3.0 to before 3.6.4, where mbedtls_lms_verify can accept forged Leighton-Micali Signatures in fault scenarios. The root cause is unchecked return values from internal Merkle-tree calls (create_merkle_leaf_value and create_merkle_internal_value) which can leave...

CVE-2025-49601

CVE-2025-49601 affects MbedTLS 3.3.0 through 3.6.3 (fixed in 3.6.4). The issue is in mbedtls_lms_import_public_key, which reads a 4-byte type indicator before validating the input size. If the input LMS public-key buffer is truncated to fewer than four bytes, this allows an out-of-bounds read, po...

CVE-2025-49600

In MbedTLS 3.3.0 before 3.6.4, mbedtlslmsverify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS Leighton-Micali Signature forgery in a fault scenario. Specifically, unchecked return values in mbedtlslmsverify allow an attacker who can induce ...

CVE-2025-49601

In MbedTLS 3.3.0 before 3.6.4, mbedtlslmsimportpublickey does not check that the input buffer is at least 4 bytes before reading a 32-bit field, allowing a possible out-of-bounds read on truncated input. Specifically, an out-of-bounds read in mbedtlslmsimportpublickey allows context-dependent...

CVE-2025-49600

In MbedTLS 3.3.0 before 3.6.4, mbedtlslmsverify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS Leighton-Micali Signature forgery in a fault scenario. Specifically, unchecked return values in mbedtlslmsverify allow an attacker who can induce ...

CVE-2025-49601

In MbedTLS 3.3.0 before 3.6.4, mbedtlslmsimportpublickey does not check that the input buffer is at least 4 bytes before reading a 32-bit field, allowing a possible out-of-bounds read on truncated input. Specifically, an out-of-bounds read in mbedtlslmsimportpublickey allows context-dependent...

PT-2025-28013 · Mbed Tls · Mbed Tls

Name of the Vulnerable Software and Affected Versions: MbedTLS versions 3.3.0 through 3.6.3 Description: The issue arises from the function mbedtls lms import public key not checking if the input buffer is at least 4 bytes before reading a 32-bit field. This allows for a possible out-of-bounds re...

PT-2025-30212

Name of the Vulnerable Software and Affected Versions mbedtls versions prior to 3.6.4 Description The software contains a use-after-free issue in the mbedtls x509 string to names function. This function incorrectly frees a pointer that application code may still be using, leading to a potential...