Astra Linux - уязвимость в linux

A flaw was discovered in the KVM’s AMD code, responsible for supporting SVM nested virtualization. The flaw occurs during the processing of the VMCB virtual machine control block provided by the L1 guest, which is used to spawn or handle a nested guest L2. Due to improper validation of the “intct...

Astra Linux - уязвимость в linux-5.10, linux-5.15

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Warns when a triple fault assertion never “escapes” from L2 The warnings are removed because they perform a sanity check that ensures KVM never allows a triple fault in L2 to escape and end up in L1. In normal operation...

Astra Linux - уязвимость в protobuf

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups/series of SGROUP tags can be corrupted due to exceeding the stack limit, i.e., StackOverflow. Parsing nested groups as unknown fields using the DiscardUnknownFieldsParser or the Java Protobuf...

Astra Linux - уязвимость в linux-5.15

A race condition in the x86 KVM subsystem within the Linux kernel, as of 6.1-rc6, allows guest OS users to cause a denial of service host OS crash or host OS memory corruption when nested virtualization is enabled and the TDP MMU is also enabled...

Astra Linux - уязвимость в policykit-1

A flaw was discovered in polkit. When processing an XML policy with 32 or more nested elements at depth, an out-of-bounds write vulnerability can be triggered. This issue may lead to a crash or other unexpected behavior, and arbitrary code execution is possible without being detected. To exploit...

Astra Linux - уязвимость в thunderbird

Thunderbird’s handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By creating a nested email attachment message/rfc822 and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened,...

Astra Linux - уязвимость в linux-5.15

A flaw was discovered in the AMD nested virtualization SVM feature of the KVM. A malicious L1 guest could intentionally fail to intercept the shutdown of a cooperative nested guest L2, potentially causing a page fault and kernel panic in the host L0...

Astra Linux - уязвимость в firefox

A nested iframe, which triggers cross-site navigation, may send cookies with the SameSite=Strict or Lax attribute. This vulnerability affects Firefox 128 and Thunderbird 128...

Astra Linux - уязвимость в linux-6.1

In the Linux kernel, the following vulnerabilities have been resolved: KVM: x86: Acquiring kvm-srcu when handling KVMSETVCPUEVENTS Acquire kvm-srcu when processing KVMSETVCPUEVENTS. When KVM sets the SMM mode, it forcibly leaves the nested VMX/SVM state. Leaving such a state also causes nested VM...

Astra Linux - уязвимость в linux-5.10, linux-6.1

In the Linux kernel, the following vulnerability has been resolved: Counter: Interrupt-cnt: Remove the IRQFNOTHREAD flag An IRQ handler can either use IRQFNOTHREAD or acquire spinlockt. As noted by CONFIGPROVERAWLOCKNESTING: ============================= BUG: Invalid wait context 6.18.0-rc1+git...

EUVD-2026-26742

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping in the SingleProduct field when used inside a Repeater field. When SingleProduct fields are...

[SECURITY] [DLA 4557-1] pyasn1 security update

Debian LTS Advisory DLA-4557-1 [email protected] https://www.debian.org/lts/security/ Emmanuel Arias May 01, 2026 https://wiki.debian.org/LTS Package : pyasn1 Version : 0.4.8-1+deb11u2 CVE ID : CVE-2026-30922 Debian Bug : 1131371 It was discovered that pyasn1, a generic ASN.1 library fo...

pyasn1: pyasn1 Vulnerable to Denial of Service via Unbounded Recursion

An unbounded recursion flaw has been discovered in the pypi pyasn1 library. This uncontrolled recursion occurs when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested SEQUENCE 0x30 or SET 0x31 tags with Indefinite Length 0x80 markers. Thi...

Uncontrolled Recursion

Axios is vulnerable to uncontrolled recursion. The vulnerability is due to the toFormData function recursively processing deeply nested objects without a depth limit, which allows an attacker to supply specially crafted input that triggers a stack overflow and crashes the Node.js process...

SUSE-SU-2026:1653-1 Security update for protobuf

This update for protobuf fixes the following issues: Refresh fixes: - CVE-2025-4565: parsing of untrusted Protocol Buffers data containing an arbitrary number of recursive groups or messages can lead to crash due to RecursionError bsc1244663. - CVE-2026-0994: maxrecursiondepth limit can be bypass...

SUSE CVE-2018-25282

Nmap 7.70 contains a denial of service vulnerability that allows local attackers to crash the application by processing malicious XML files with exponential entity expansion. Attackers can create a crafted XML file with nested entity definitions and open it through ZenMap's scan import...

cpython: Stack overflow parsing XML with deeply nested DTD content models

A stack overflow flaw has been discovered in the python pyexpat module. When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs. This will result in a program crash...

CVE-2018-25282

A flaw was found in Nmap and ZenMap. A local attacker could exploit this vulnerability by crafting a malicious XML file with nested entity definitions. When this file is opened through ZenMap's scan import functionality, it causes the program to consume excessive system resources, leading to a...

CVE-2026-31684

A flaw was found in the Linux kernel's network scheduler component. A remote attacker could send specially crafted network packets containing nested Virtual Local Area Network VLAN headers. This could cause the kernel to read beyond allocated memory, leading to a system crash and a denial of...

Linux Distros Unpatched Vulnerability : CVE-2026-42039

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, s...