VulnCheck KEV: CVE-2026-7473

On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN Virtual Extensible LAN, decap-groups, or a GRE Generic Routing Encapsulation tunnel interface—is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a...

Ubuntu 20.04 LTS / 22.04 LTS : Linux kernel vulnerabilities (USN-8388-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8388-1 advisory. It was discovered that the Linux kernel did not properly handle shared page fragments during socket buffer operations, collectively known as...

CVE-2025-8873 Arista EOS Dataplane Denial of Service via Malformed IPsec Packet

On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being...

CVE-2025-8873 Arista EOS Dataplane Denial of Service via Malformed IPsec Packet

On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being...

CVE-2024-6858 In Arista’s EOS when in 802.1X mode, multi-auth unauthenticated hosts might be allowed access to a switch port if there exists an EAPOL capable device in the fallback VLAN.

In Arista’s EOS when in 802.1X mode, multi-auth unauthenticated hosts might be allowed access to a switch port if there exists an EAPOL capable device in the fallback VLAN...

USN-8392-1: Linux kernel vulnerabilities

It was discovered that the Linux kernel algifaead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. CVE-2026-31431 It was discovered that the Linux kernel did n...

USN-8392-1 linux-aws-5.4, linux-hwe-5.4 vulnerabilities

It was discovered that the Linux kernel algifaead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. CVE-2026-31431 It was discovered that the Linux kernel did n...

USN-8391-1: Linux kernel (Raspberry Pi) vulnerabilities

It was discovered that the Linux kernel algifaead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. CVE-2026-31431 It was discovered that the Linux kernel did n...

USN-8389-1: Linux kernel vulnerabilities

It was discovered that the Linux kernel did not properly handle shared page fragments during socket buffer operations, collectively known as Dirty Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the RxRPC networking subsystem when processing paged fragments. A local attacker...

USN-8388-1 linux, linux-aws, linux-aws-5.15, linux-aws-fips, linux-fips, linux-gcp, linux-gcp-5.15, linux-gcp-fips, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iot-realtime, linux-intel-iotg, linux-kvm, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-raspi, linux-realtime vulnerabilities

It was discovered that the Linux kernel did not properly handle shared page fragments during socket buffer operations, collectively known as Dirty Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the RxRPC networking subsystem when processing paged fragments. A local attacker...

USN-8388-1: Linux kernel vulnerabilities

It was discovered that the Linux kernel did not properly handle shared page fragments during socket buffer operations, collectively known as Dirty Frag. A logic flaw existed in the XFRM ESP-in-TCP subsystem and in the RxRPC networking subsystem when processing paged fragments. A local attacker...

ROOT-APP-NPM-CVE-2025-66414 CVE-2025-66414 in @rootio/modelcontextprotocol__sdk - Patched by Root

Root has patched CVE-2025-66414 in the @rootio/modelcontextprotocolsdk package for Root:npm. Multiple fixed versions available...

Improper Synchronization

Overview Affected versions of this package are vulnerable to Improper Synchronization in the process that forwards DoQ queries to UDP upstreams, where the DNS transaction ID txid is not preserved and is always set to 0, reducing entropy in the backend tuple. An attacker can increase the likelihoo...

AdGuard Home: DoQ-to-UDP State Reduction and Source-Port Oracle

Summary This report covers the client-triggered DoQ forwarding path in: - dnsproxy v0.81.2 adguard/dnsproxy:v0.81.2 - AdGuard Home v0.107.74 adguard/adguardhome:latest, image version label v0.107.74 The issue was reproduced on 2026-04-25 with the products configured through their documented DoQ...

ROOT-APP-NPM-CVE-2023-42282 CVE-2023-42282 in @rootio/ip - Patched by Root

Root has patched CVE-2023-42282 in the @rootio/ip package for Root:npm. Multiple fixed versions available...

CVE-2026-21404

NAVTOR NavBox (versions up to 4.16.1.20) contains hard-coded credentials in its Windows Communication Foundation (SOAP) implementation. When SOAP is enabled, a local attacker can extract credentials and bypass the intended transfer workflow. Successful authentication to the SOAP interface grants ...

DEBIAN-CVE-2026-40898

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field...

Updating the taxonomy of failure modes in agentic AI systems: What a year of red teaming taught us

In this article 1. Why the Taxonomy Needed Updating 2. Seven new failure modes 3. Operational findings: What red teaming showed 4. New mitigations 5. What to do this quarter When the Microsoft AI Red Team published the Taxonomy of Failure Modes in Agentic AI Systems in April 2025, the goal was a...

EUVD-2026-32926

Hono: IP Restriction bypasses static deny rules for non-canonical IPv6...

EUVD-2026-34312

quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field...