CVE-2026-52934

The CVE concerns batman-adv TVLV handling in the Linux kernel. The issue arises in batadv_tvlv_container_list_size(), where a u16 accumulator can wrap when total size exceeds U16_MAX, leading batadv_tvlv_container_ogm_append() to allocate an undersized buffer and a subsequent memcpy to write beyo...

EUVD-2026-38704

In the Linux kernel, the following vulnerability has been resolved: batman-adv: tvlv: reject oversized TVLV packets batadvtvlvcontainerogmappend builds a TVLV packet section from the tvlv.containerlist. The total size of this section is computed by batadvtvlvcontainerlistsize, which sums the size...

CVE-2026-52927

CVE-2026-52927 concerns the Linux kernel netfilter ebtables path, specifically compat_mtw_from_user. The issue arises when converting 32-bit user structures to kernel native structures: user-supplied match_size/target_size may be too small, causing an out-of-bounds read during translation of exte...

CVE-2025-71319

A flaw was found in image-size. This vulnerability allows a remote attacker to cause a Denial of Service DoS by supplying specially crafted JXL, HEIF, or JP2 image files that contain zero-sized boxes. The findBox function, responsible for image validation, enters an infinite loop when processing...

libtasn1: libtasn1: Denial of Service via stack-based buffer overflow in asn1_expend_octet_string

A flaw was found in libtasn1. A remote attacker could exploit a stack-based buffer overflow vulnerability in the asn1expendoctetstring function. This occurs due to a failure in validating the size of input data. Successful exploitation can lead to a Denial of Service DoS condition, making the...

CVE-2026-46553

CVE-2026-46553 affects NocoDB prior to 2026.04.1, where the upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against the remote file’s Content-Length or the decoded length of a data: URI. This allowed an authenticated user with upload permissions to bypass the configured per-file size ...

CVE-2026-46551

CVE-2026-46551 affects NocoDB’s v1/v2 attachment API upload-by-url. Before 2026.04.4, the uploadViaURL path did not enforce NC_ATTACHMENT_FIELD_SIZE against the remote content-length or response stream. The HEAD probe read content-length but wasn’t compared to the limit, and storageAdapter.fileCr...

CVE-2026-48502

MessagePack-CSharp contains a Denial of Service vulnerability in MessagePackReader.ReadDateTime() where a stack allocation is driven by attacker-controlled extension length. In the slow path, tokenSize includes the extension body length and is used in a stackalloc before the extension length is v...

CVE-2026-54285

opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8.0, W3CBaggagePropagator.extract in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were...

CVE-2026-54277

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the maxlinesize check in parts of an HTTP request in the C parser. If using the optimised C parser the default in pre-built wheels, then an attacker may be able to send...

UBUNTU-CVE-2026-42127

The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access tok...

CVE-2026-54285

opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8.0, W3CBaggagePropagator.extract in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were...

CVE-2026-54277

CVE-2026-54277 affects AIOHTTP prior to 3.14.1 where the max_line_size check in parts of the C HTTP parser can be bypassed, allowing an attacker to send oversized lines and cause excessive memory use leading to DoS. The issue occurs when using the optimized C parser (default in pre-built wheels)....

CVE-2026-54277 AIOHTTP: C HTTP Parser Bypasses max_line_size for Fragmented Lines

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the maxlinesize check in parts of an HTTP request in the C parser. If using the optimised C parser the default in pre-built wheels, then an attacker may be able to send...

DEBIAN-CVE-2026-53655

node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar node-tar applies a PAX extended header's size= record and other PAX overrides to the next header entry of any type, including intermediary metadata headers such as a GNU long-name L or long-link K entry. Per POSIX pax, a PAX extend...

CVE-2026-53655

node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar node-tar applies a PAX extended header's size= record and other PAX overrides to the next header entry of any type, including intermediary metadata headers such as a GNU long-name L or long-link K entry. Per POSIX pax, a PAX extend...

CVE-2026-12549

The fix for CVE-2026-2443 was regressed by a subsequent rework commit that replaced specific overflow checks with a general signed comparison. When a client sends a Range request with a suffix length exceeding the content size, the resulting negative start value is not properly clamped, leading t...

CVE-2026-53655 node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)

node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar node-tar applies a PAX extended header's size= record and other PAX overrides to the next header entry of any type, including intermediary metadata headers such as a GNU long-name L or long-link K entry. Per POSIX pax, a PAX extend...

CVE-2026-53655

node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar node-tar applies a PAX extended header's size= record and other PAX overrides to the next header entry of any type, including intermediary metadata headers such as a GNU long-name L or long-link K entry. Per POSIX pax, a PAX extend...

EUVD-2026-38279

The fix for CVE-2026-2443 was regressed by a subsequent rework commit that replaced specific overflow checks with a general signed comparison. When a client sends a Range request with a suffix length exceeding the content size, the resulting negative start value is not properly clamped, leading t...