651 matches found
kernel: net/sched: act_pedit: extend the writable skb range per key
A flaw was found in the Linux kernel's traffic control packet editing pedit subsystem. In tcfpeditact, the copy-on-write COW range for skbensurewritable is computed once before iterating over edit keys, but the calculation does not account for runtime header offsets added by typed keys. This can...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the uncompressed HEIF decoder process. An attacker can cause a crash by supplying a crafted HEIF file that manipulates compressed-unit offsets to trigger an out-of-bounds heap read. Remediation A fix was pushed int...
CVE-2026-49271
libheif is a HEIF and AVIF file format decoder and encoder. Prior to version 1.22.1, the uncompressed HEIF decoder validates explicit icef compressed-unit offsets using unitoffset + unitsize. Because the addition can wrap, a crafted HEIF file can pass the range check and then construct a vector...
kernel: net/sched: act_pedit: extend the writable skb range per key
A flaw was found in the Linux kernel's traffic control packet editing pedit subsystem. In tcfpeditact, the copy-on-write COW range for skbensurewritable is computed once before iterating over edit keys, but the calculation does not account for runtime header offsets added by typed keys. This can...
SUSE CVE-2026-46331
In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcfpeditact computes the COW range for skbensurewritable once before the key loop using tcfpoffmaxhint, but the hint does not account for the runtime header offset...
CVE-2026-46331
In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcfpeditact computes the COW range for skbensurewritable once before the key loop using tcfpoffmaxhint, but the hint does not account for the runtime header offset...
CVE-2026-46331 net/sched: fix pedit partial COW leading to page cache corruption
In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcfpeditact computes the COW range for skbensurewritable once before the key loop using tcfpoffmaxhint, but the hint does not account for the runtime header offset...
CVE-2026-46331
In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcfpeditact computes the COW range for skbensurewritable once before the key loop using tcfpoffmaxhint, but the hint does not account for the runtime header offset...
EUVD-2026-37039
In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcfpeditact computes the COW range for skbensurewritable once before the key loop using tcfpoffmaxhint, but the hint does not account for the runtime header offset...
CVE-2026-46331
CVE-2026-46331 affects the Linux kernel’s net/sched packet editing path, specifically the per-key handling in act_pedit where the writable Copy-on-Write (COW) region was calculated before the actual write offset was known. The runtime header offset from typed keys could leave portions of memory u...
CVE-2026-53704
A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the demuxer parses variable-name and variable-value pairs using reskippascalstring without validating that offsets remain...
CVE-2026-53704
GStreamer: RealMedia demuxer in gst-plugins-ugly contains an out-of-bounds read in the FILEINFO metadata parser. The demuxer parses variable-name and variable-value pairs with re_skip_pascal_string() without validating offsets against the mapped buffer, and the element count used to control the p...
CVE-2026-53704 Gstreamer1-plugins-ugly-free: gstreamer: out-of-bounds read in realmedia demuxer fileinfo metadata parser
A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the demuxer parses variable-name and variable-value pairs using reskippascalstring without validating that offsets remain...
CVE-2026-53704
A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the demuxer parses variable-name and variable-value pairs using reskippascalstring without validating that offsets remain...
PT-2026-49340
Name of the Vulnerable Software and Affected Versions GStreamer affected versions not specified Description A flaw exists in the RealMedia demuxer within the gst-plugins-ugly package. When processing a RealMedia file with a specially crafted FILEINFO metadata section, the demuxer uses the re skip...
EUVD-2026-32914
pypdf: Possible large memory usage for large offsets for layout mode text...
GHSA-CJ93-CHG6-VGV8 pypdf: Possible large memory usage for large offsets for layout mode text
Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting text in layout mode with large character offsets. Patches This has been fixed in pypdf==6.12.0. Workarounds If developers are unable to immediately upgrade, they should...
pypdf: Possible large memory usage for large offsets for layout mode text
Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting text in layout mode with large character offsets. Patches This has been fixed in pypdf==6.12.0. Workarounds If developers are unable to immediately upgrade, they should...
CVE-2026-6839
Improper validation of STRING tensor offsets could allows malformed string metadata to trigger out of bounds access during constant tensor import in Samsung Open Source ONE Affected version is prior to commit 1.30.0...
CVE-2026-42615
GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /recipe=ShowBase64offsets'%3Cscript substring...