mt6893-security-research

MT6893 Security Research Five security research findings from...

MiracleLinux 9 : nodejs:24 (AXSA:2026-449:01)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-449:01 advisory. nodejs: Nodejs denial of service CVE-2026-21637 brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion CVE-2026-2554...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007409)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007409 advisory. In the Linux kernel, the following vulnerability has been resolved: net: afcan: do not leave a dangling sk pointer in cancreate On error cancreate frees the allocate...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007593)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007593 advisory. In the Linux kernel, the following vulnerability has been resolved: net: rds: don't hold sock lock when cancelling work from rdstcpresetcallbacks syzbot is reporting...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007556)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007556 advisory. In the Linux kernel, the following vulnerability has been resolved: netlink: terminate outstanding dump on socket close Netlink supports iterative dumping of data. I...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007312)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007312 advisory. In the Linux kernel, the following vulnerability has been resolved: can: j1939: Fix UAF in j1939skmatchfilter during setsockoptSOJ1939FILTER Lock jsk-sk to prevent U...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007263)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007263 advisory. In the Linux kernel, the following vulnerability has been resolved: inet: inetdefrag: prevent sk release while still in use iplocalout and other functions can pass...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007398)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007398 advisory. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcommsockalloc btsockalloc attaches...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007479)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007479 advisory. In the Linux kernel, the following vulnerability has been resolved: vsock: Do not allow binding to VMADDRPORTANY It is possible for a vsock to autobind to...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007222)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007222 advisory. In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: free queued packets when closing socket As reported by syzbot 1, there is a memory...

SUSE SLED15 / SLES15 Security Update : kea (SUSE-SU-2026:1378-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:1378-1 advisory. Update to release 2.6.5: A large number of bracket pairs in a JSON payload directed to any endpoint would result in a...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007396)

"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007396 advisory. In the Linux kernel, the following vulnerability has been resolved: net: nsh: Use correct macoffset to unwind gso skb in nshgsosegment As the call trace shows,...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007437)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007437 advisory. In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix memory leak of struct clipvcc. ioctlATMARPMKIP allocates struct clipvcc and set it...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007343)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007343 advisory. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2capsockcreate btsockalloc...

SUSE-SU-2026:1378-1 Security update for kea

This update for kea fixes the following issues: Update to release 2.6.5: A large number of bracket pairs in a JSON payload directed to any endpoint would result in a stack overflow, due to recursive calls when parsing the JSON. This has been fixed. CVE-2026-3608 bsc1260380 A null dereference is n...

AlmaLinux 8 : nodejs:24 (ALSA-2026:7670)

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:7670 advisory. nodejs: Nodejs denial of service CVE-2026-21637 minimatch: minimatch: Denial of Service via specially crafted glob patterns CVE-2026-26996 undici: Undici:...

AlmaLinux 9 : nodejs:24 (ALSA-2026:7350)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:7350 advisory. nodejs: Nodejs denial of service CVE-2026-21637 brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion CVE-2026-25547...

MAL-2026-2827 Malicious code in js-logger-pack (npm)

js-logger-pack is a fake npm logger that the attacker developed openly on the registry over 23 versions across two weeks 2026-04-01 to 2026-04-15. Version 1.1.20, published hours after initial detection, is a re-obfuscation of the same payload with a new hash — same C2, same capabilities. Early...

AlmaLinux 10 : nodejs24 (ALSA-2026:7675)

The remote AlmaLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:7675 advisory. nodejs: Nodejs denial of service CVE-2026-21637 brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion CVE-2026-25547...

SUSE CVE-2026-34477

The fix for CVE-2025-68161 https://logging.apache.org/security.htmlCVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.htmllog4j2.sslVerifyHostName system property, but no...