84 matches found
CVE-2026-10654
The CVE-2026-10654 issue is a race in Zephyr’s Bluetooth Classic RFCOMM host stack (subsys/bluetooth/host/classic/rfcomm.c): when one side initiates a session teardown and the peer simultaneously sends a DISC for DLCI 0, rfcomm_handle_disc() forces the session to DISCONNECTED without calling bt_l...
CVE-2026-10648
mcumgrserialprocessfrag in subsys/mgmt/mcumgr/transport/src/serialutil.c calls netbufreset on the result of smppacketalloc before checking it for NULL. smppacketalloc uses netbufallocKNOWAIT against the shared MCUmgr packet pool CONFIGMCUMGRTRANSPORTNETBUFCOUNT, default 4, which returns NULL when...
CVE-2026-10648 NULL-pointer dereference in MCUmgr serial/console SMP transport on buffer-pool exhaustion
mcumgrserialprocessfrag in subsys/mgmt/mcumgr/transport/src/serialutil.c calls netbufreset on the result of smppacketalloc before checking it for NULL. smppacketalloc uses netbufallocKNOWAIT against the shared MCUmgr packet pool CONFIGMCUMGRTRANSPORTNETBUFCOUNT, default 4, which returns NULL when...
CVE-2026-10648
CVE-2026-10648 affects Zephyr’s MCUmgr serial/console SMP transport paths. The bug occurs in mcumgr_serial_process_frag() where net_buf_reset() is invoked on the result of smp_packet_alloc() before checking NULL. smp_packet_alloc() draws from the shared MCUmgr packet pool (default 4 entries) via ...
PT-2026-53755
Name of the Vulnerable Software and Affected Versions Zephyr version 4.4.0 Description An issue exists where the mcumgr serial process frag function in subsys/mgmt/mcumgr/transport/src/serial util.c calls net buf reset on the result of smp packet alloc without first verifying if the result is NUL...
CVE-2026-13351
Zephyr’s IPv6 network stack is vulnerable to a denial-of-service caused by fragmented IPv6 packets. In the fragment-header processing path, the RX network packet buffer allocated from a memory slab is not released back to the pool after handling malicious fragments. Repeating such packets exhaust...
SUSE CVE-2026-55204
HAProxy through 3.4.0, fixed in commit 9a6d1fe, contains a null pointer dereference vulnerability in hpackdhtinsert within src/hpack-tbl.c that fails to validate the return value of hpackdhtdefrag when the memory pool is exhausted. An attacker can trigger HPACK dynamic table insertions under memo...
Astra Linux – Vulnerability in netcdf
The ezxmltoxml function in ezxml 0.8.6 and earlier is vulnerable to out-of-band OOB writes when opening an XML file after exhausting the memory pool...
Astra Linux – Vulnerability in netcdf
The ezxmlnew function in ezXML 0.8.6 and earlier is vulnerable to OOB write attacks when opening an XML file after exhausting the memory pool...
CVE-2026-39806
Loop with Unreachable Exit Condition 'Infinite Loop' vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':doreadchunkeddata!/5 in lib/bandit/http1/socket.ex terminates only when the last-chunk line 0\r\n is...
CVE-2026-42343 FastGPT: Uncontrolled Resource Consumption leading to Sandbox Exhaustion
FastGPT is an AI Agent building platform. In versions 4.14.13 and prior, the code-sandbox component suffers from insufficient resource isolation and uncontrolled resource consumption. The service relies solely on an application-level soft limit a 500ms polling interval for memory management and...
CVE-2026-42343
FastGPT is an AI Agent building platform. In versions 4.14.13 and prior, the code-sandbox component suffers from insufficient resource isolation and uncontrolled resource consumption. The service relies solely on an application-level soft limit a 500ms polling interval for memory management and...
FastGPT 资源管理错误漏洞
FastGPT is an open-source knowledge base question-answering system based on large language models developed by Labring. Versions of FastGPT 4.14.13 and earlier contain a resource management vulnerability. This vulnerability stems from insufficient resource isolation in the code-sandbox component,...
GHSA-6Q22-G298-GRJH Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver
Summary The GraphQL specification permits a single query to repeat the same field multiple times using aliases, with each alias resolved independently by default. Directus did not deduplicate resolver invocations within a single request, meaning each alias triggered a full, independent execution ...
CVE-2026-0648
The vulnerability stems from an incorrect error-checking logic in the CreateCounter function in threadx/utility/rtoscompatibilitylayers/OSEK/txosek.c when handling the return value of osekgetcounter. Specifically, the current code checks if cntrid equals 0u to determine failure, but @osekgetcount...
CVE-2026-0648
The vulnerability stems from an incorrect error-checking logic in the CreateCounter function in threadx/utility/rtoscompatibilitylayers/OSEK/txosek.c when handling the return value of osekgetcounter. Specifically, the current code checks if cntrid equals 0u to determine failure, but...
EUVD-2026-4817
The vulnerability stems from an incorrect error-checking logic in the CreateCounter function in threadx/utility/rtoscompatibilitylayers/OSEK/txosek.c when handling the return value of osekgetcounter. Specifically, the current code checks if cntrid equals 0u to determine failure, but...
CVE-2026-0648
CVE-2026-0648 : Red Hat and other sources describe a logic error in the CreateCounter() path for OSEK in threadx.c where osek_get_counter() return value is mishandled. The code tests for failure by comparing cntr_id to 0u, but osek_get_counter() signals failure with E_OS_SYS_STACK (12U). When the...
CVE-2026-0648
The vulnerability stems from an incorrect error-checking logic in the CreateCounter function in threadx/utility/rtoscompatibilitylayers/OSEK/txosek.c when handling the return value of osekgetcounter. Specifically, the current code checks if cntrid equals 0u to determine failure, but...
CVE-2026-0648
The vulnerability stems from an incorrect error-checking logic in the CreateCounter function in threadx/utility/rtoscompatibilitylayers/OSEK/txosek.c when handling the return value of osekgetcounter. Specifically, the current code checks if cntrid equals 0u to determine failure, but...