SUSE CVE-2026-43227

In the Linux kernel, the following vulnerability has been resolved: clocksource/drivers/shtmu: Always leave device running after probe The TMU device can be used as both a clocksource and a clockevent provider. The driver tries to be smart and power itself on and off, as well as enabling and...

CVE-2026-43446

A flaw was found in the Linux kernel's accel/amdxdna driver. A local user could exploit a race condition during the runtime suspend process. If a job is executing and attempts to resume the device while the system is suspending, it can lead to a deadlock, causing a Denial of Service DoS where the...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: golang (UTSA-2026-016818)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016818 advisory. Within HostnameError.Error, when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is...

DEBIAN-CVE-2026-45130

Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in readcompound in src/spellfile.c when loading a crafted spell file .spl with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-b...

GHSA-PJWX-R37V-7724 LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists

LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call load with allowedobjects="all". This does not enable arbitrary Python object deserialization, but it does allow...

LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists

LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call load with allowedobjects="all". This does not enable arbitrary Python object deserialization, but it does allow...

CVE-2026-7927

A type confusion flaw was found in the Runtime component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=502830119...

CVE-2026-43381

A flaw was found in the Linux kernel's nouveau display driver. When the nouveau driver is in a runtime suspended state, a local user attempting to access a Direct Rendering Manager DRM device can trigger a system crash. This vulnerability leads to a Denial of Service DoS...

CVE-2026-43355

A flaw was found in the Linux kernel's bh1780 light sensor driver. This vulnerability occurs due to a Power Management PM runtime leak, where the system's reference count for power management is not always properly decremented. An attacker could exploit this by repeatedly triggering the error pat...

Security Bulletin: IBM MQ is affected by multiple vulnerabilities in the IBM Semeru Runtime Environment (CVE-2026-21945,CVE-2026-21932,CVE-2026-21933,CVE-2026-21925,CVE-2026-1188)

Summary Multiple issues were identified with the IBM Semeru Runtime Environment which is shipped with IBM MQ Vulnerability Details CVEID:CVE-2026-21945 DESCRIPTION: Java SE is vulnerable to a denial of service, caused by an easily exploitable vulnerability issue that allows an remote attacker to...

MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys

Summary MikroORM's identifier-quoting helper Platform.quoteIdentifier and the postgres/mssql overrides and its JSON-path emitters Platform.getSearchJsonPropertyKey, quoteJsonKey did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When...

GHSA-CFW5-68C4-FFQP MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys

Summary MikroORM's identifier-quoting helper Platform.quoteIdentifier and the postgres/mssql overrides and its JSON-path emitters Platform.getSearchJsonPropertyKey, quoteJsonKey did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When...

CVE-2025-71299

A flaw was found in the Linux kernel's spi-cadence-quadspi driver. When processing Device Tree DT descriptions for attached flash devices, a missing or broken DT description can lead to a runtime power management PM disable in the error handling path of the probe function. This can result in...

CVE-2026-41690

18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that...

EUVD-2026-28752

In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix runtime suspend deadlock when there is pending job The runtime suspend callback drains the running job workqueue before suspending the device. If a job is still executing and calls pmruntimeresumeandget, it can...

EUVD-2026-28743

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: fix use-after-free on linked stream runtime in sndpcmdrain In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime runtime = s-runtime at line 2157. After releasing the stream lock at...

EUVD-2026-28663

In the Linux kernel, the following vulnerability has been resolved: iio: gyro: mpu3050-core: fix pmruntime error handling The return value of pmruntimegetsync is not checked, allowing the driver to access hardware that may fail to resume. The device usage count is also unconditionally incremented...

EUVD-2026-28661

In the Linux kernel, the following vulnerability has been resolved: iio: light: bh1780: fix PM runtime leak on error path Move pmruntimeputautosuspend before the error check to ensure the PM runtime reference count is always decremented after pmruntimegetsync, regardless of whether the read...

EUVD-2026-28571

In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix PM runtime usage count underflow Replace pmruntimeputsync with pmruntimedontuseautosuspend in the remove path to properly pair with pmruntimeuseautosuspend from probe. This allows pmruntimedisable t...

EUVD-2025-209748

In the Linux kernel, the following vulnerability has been resolved: spi: cadence-quadspi: Parse DT for flashes with the rest of the DT parsing The recent refactoring of where runtime PM is enabled done in commit f1eb4e792bb1 "spi: spi-cadence-quadspi: Enable pm runtime earlier to avoid imbalance"...