2494 matches found
JLSEC-2026-624 HTTP/2 client HPACK desynchronization via header blocks for unknown streams in HTTP.jl
Description The HTTP/2 client's processincomingframe! dropped HEADERS/CONTINUATION frames for stream ids absent from conn.streams without passing the header block through the connection's HPACK decoder. Because HPACK's dynamic table is connection-scoped and mutated as a side effect of decoding ea...
JLSEC-2026-611 Unbounded HTTP/2 concurrent streams and Rapid Reset denial of service in HTTP.jl server
Description The HTTP.jl HTTP/2 server advertised an empty initial SETTINGS frame, leaving SETTINGSMAXCONCURRENTSTREAMS effectively unlimited, and the HEADERS code path allocated per-stream state, a send-window entry, and a Threads.@spawned handler with no check on the number of open streams...
PT-2026-51589
Name of the Vulnerable Software and Affected Versions GStreamer gst-plugins-bad affected versions not specified Description A flaw in the H.266 parser occurs when processing a malformed H.266/VVC video stream containing a crafted aspect ratio indicator value. This leads to an out-of-bounds read o...
CVE-2026-49460
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.2, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /FlateDecode filter with a PNG predictor. This vulnerability is fixed in 6.12.2...
UBUNTU-CVE-2026-49460
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.2, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /FlateDecode filter with a PNG predictor. This vulnerability is fixed in 6.12.2...
CVE-2026-49460 pypdf: Inefficient decoding of FlateDecode PNG predictor streams
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.2, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /FlateDecode filter with a PNG predictor. This vulnerability is fixed in 6.12.2...
CVE-2026-53571
Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as...
CVE-2026-53571
Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as...
kernel: ALSA: usb-audio: Add sanity check for OOB writes at silencing
A flaw was found in the Linux kernel's ALSA Advanced Linux Sound Architecture USB audio subsystem. An inconsistency in how USB audio playback and capture streams are handled can lead to an out-of-bounds write to a memory buffer. This can result in a system crash, causing a denial of service for a...
DEBIAN-CVE-2026-49346
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.1.0, a crafted H.265 bitstream with large SPS dimensions and 16-bit bit depth causes a signed integer overflow in de265imagegetbuffer libde265/image.cc:128. The overflow wraps the plane allocation size to a sma...
Astra Linux – Vulnerability in Chromium
A heap buffer overflow in the Media streams API in Google Chrome prior to version 97.0.4692.71 allowed a remote attacker to potentially exploit heap corruption through a crafted HTML page...
Astra Linux – Vulnerability in Linux 5.10
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: prevents a hang during link training failure. Why When link training fails, the phy clock will be disabled. However, in “enablestreams”, it is assumed that link training was successful, and the mux selects the ph...
Astra Linux – Vulnerability in Chromium
Before version 125.0.6422.141, the Streams API in Google Chrome allowed a remote attacker to execute arbitrary code within a sandbox through a crafted HTML page. Chromium security severity: High...
Astra Linux – Vulnerability in pypdf2
PyPDF2 is an open-source Python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In versions prior to 1.27.5, an attacker who exploited this vulnerability could create a PDF that would cause an infinite loop if the PyPDF2 code attempted to access the...
Astra Linux – Vulnerability in Firefox and Thunderbird
Poor management of ownership led to a “use-after-free” vulnerability in ReadableByteStreams. This vulnerability affects Firefox 120, Firefox ESR 115.5.0, and Thunderbird 115.5...
Astra Linux – Vulnerability in libgit2
A issue was discovered in libgit2 before versions 0.28.4 and 0.9x before version 0.99.0. path.c improperly handles equivalent filenames that exist due to NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352...
PT-2026-51098
Name of the Vulnerable Software and Affected Versions py7zr versions prior to 1.1.3 Description A denial of service issue exists where a crafted .7z archive with a large numstreams value causes excessive CPU consumption. This occurs because the PackInfo. read function in archiveinfo.py uses an On...
netty-codec-http2: Netty: Denial of Service via uncontrolled HTTP/2 concurrent streams
A flaw was found in Netty, a network application framework. A remote attacker can exploit this vulnerability by sending a large number of HTTP/2 stream requests to a Netty HTTP/2 server. If the server does not explicitly limit concurrent streams, it can lead to the allocation of numerous long-liv...
netty-codec-http2: Netty: Denial of Service via uncontrolled HTTP/2 concurrent streams
A flaw was found in Netty, a network application framework. A remote attacker can exploit this vulnerability by sending a large number of HTTP/2 stream requests to a Netty HTTP/2 server. If the server does not explicitly limit concurrent streams, it can lead to the allocation of numerous long-liv...
Denial Of Service (DoS)
Netty is vulnerable to Denial of Service DoS. The vulnerability is due to improper management of blocked streams in the HTTP/3 codec, which allows an attacker to create an unlimited number of blocked streams and exhaust memory, leading to an out-of-memory condition and service disruption...