604 matches found
GHSA-Q6RR-FM2G-G5X8 Scriban: array * int (ScriptArray<T>.TryEvaluate) bypasses LoopLimit — incomplete fix for GHSA-c875-h985-hvrc, missed sibling of GHSA-24c8-4792-22hx
Summary The array multiplication operator array integer in Scriban allocates a result whose size is the product of the attacker-controlled integer and the array length, with no LoopLimit / LimitToString check and no overflow-safe arithmetic. A 40-byte template forces a multi-gigabyte allocation,...
CVE-2026-10512
The X25519 x8664 assembly implementation fails to clear the most significant bit during the final modular reduction, so the computed result may not be fully reduced modulo the field prime 2^255 - 19. This can leave the field element in a non-canonical form, producing an incorrect result from the...
CVE-2026-53171 accel/ethosu: fix arithmetic issues in dma_length()
In the Linux kernel, the following vulnerability has been resolved: accel/ethosu: fix arithmetic issues in dmalength dmalength derives DMA region usage from command stream values and updates regionsize: len = len + stride0 size0 + stride1 size1 regionsizeregion = max..., len + dma-offset Several...
CVE-2026-52968
In the Linux kernel, the following vulnerability has been resolved: KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic kvms390pciaifenable, kvms390pciaifdisable, and aenhostforward index the GAIT by manually multiplying the index with sizeofstruct zpcigaite. Since...
poppler: Integer overflow in Poppler SplashOutputDev::tilingPatternFill leads to heap buffer overflow via unchecked dimension multiplication
A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the tilingPatternFill function. This overflow leads to an undersized heap memory allocation, allowing a subsequent...
CVE-2026-48065
The CVE-2026-48065 issue affects pam_usb for Linux prior to version 0.9.1. In src/conf.c, heap memory is allocated as size proportional to n_devices (derived from libxml2 XPath on the config file) without an upper bound. On 32-bit targets (armv7l, i686 listed in the Makefile), n_devices * sizeof(...
CVE-2026-48065 pam_usb: Unchecked integer multiplication before xmalloc() in conf.c allows heap-based buffer overflow on 32-bit targets
pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/conf.c allocates heap memory proportional to ndevices, a count derived from libxml2 XPath evaluation of the config file, without first enforcing an upper bound. On 32-bit targets armv7l, i686 --...
CVE-2026-48065 pam_usb: Unchecked integer multiplication before xmalloc() in conf.c allows heap-based buffer overflow on 32-bit targets
pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/conf.c allocates heap memory proportional to ndevices, a count derived from libxml2 XPath evaluation of the config file, without first enforcing an upper bound. On 32-bit targets armv7l, i686 --...
Astra Linux – Vulnerability in Linux 5.10
In the Linux kernel, the following vulnerability has been resolved: i2c: designware: use casting of u64 in clock multiplication to avoid overflow In functions i2cdwscllcnt and i2cdwsclhcnt, there may be an overflow issue due to the reliance on the values of the given parameters, including icclk...
Astra Linux – Vulnerabilities in Linux, Linux-5.10, Linux-5.15, Linux-6.1
In the Linux kernel, the following vulnerability has been resolved: ACPI: LPIT – Avoid u32 multiplication overflow. In the function lpitupdateresidency, there is a possibility of overflow during multiplication, if tsckhz is large enough UINTMAX/1000. The multiplication operation should be replace...
Astra Linux – Vulnerability in Linux, Linux 5.10
preallocelemsandfreelist in kernel/bpf/stackmap.c in the Linux kernel before version 5.14.12 allows unprivileged users to trigger an eBPF multiplication integer overflow, resulting in an out-of-bounds write...
Astra Linux – Vulnerability in Linux 5.10
In the Linux kernel, the following vulnerability has been resolved: arm64: topology: Fix for a potential overflow in amufiesetup. The function cpufreqgetHWmaxfreq returns the maximum frequency in kHz as an unsigned int. However, the function freqinvsetmaxratio receives this frequency in Hz as an...
Unity Linux 20.1050e Security Update: kernel (UTSA-2026-021620)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-021620 advisory. In the Linux kernel, the following vulnerability has been resolved: RDMA/uverbs: Prevent integer overflow issue In the expression cmd.wqesize cmd.wrcount, both...
CVE-2026-44368 PyQuorum: Timing side‑channel in mul_mod
PyQuorum is a cryptographic library for secret sharing and key management. Prior to 0.2.1, the mulmod function implements multiplication via a binary expansion loop whose execution time depends on the Hamming weight of the second operand the exponent. An attacker who can measure the time of...
CVE-2026-44368
CVE-2026-44368 affects PyQuorum prior to 0.2.1, where the mul_mod function uses a binary expansion loop whose runtime depends on the Hamming weight of the exponent. An attacker who can measure secret-sharing operation timing could progressively recover share values, potentially reconstruing the s...
CVE-2026-44368 PyQuorum: Timing side‑channel in mul_mod
PyQuorum is a cryptographic library for secret sharing and key management. Prior to 0.2.1, the mulmod function implements multiplication via a binary expansion loop whose execution time depends on the Hamming weight of the second operand the exponent. An attacker who can measure the time of...
JLSEC-2026-491
Little CMS lcms2 through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication...
CVE-2026-37540
OpenAMP v2025.10.0 ELF loader contains an integer overflow vulnerability in firmware image parsing. In elfloader.c, it performs multiplication of two attacker-controlled 16-bit values from the ELF header without overflow checking. On 32-bit embedded systems STM32MP1, Zynq, i.MX, large values can...
📄 V8 BigInt String Conversion Stress Test Conceptual Sandbox
This is a V8 Sandbox Escape vulnerability in BigInt::Allocate where buffers are shuffled outside the sandbox. The vulnerability allows for writes outside the boundaries of the allocated buffer within the sandbox outbound write by manipulating data during the MultiplyFFT process...
DEBIAN-CVE-2026-40244
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through 3.4.9, 3.3.0 through 3.3.9, and 3.2.0 through 3.2.7, internaldwacompressor.h:1722 performs curc-width curc-height in int32...