CVE-2026-8177

XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory...

CVE-2026-44288

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them. An attacker who can provide protobuf...

CVE-2026-9516

A flaw was found in Cpanel::JSON::XS, a Perl module used for processing JSON data. This vulnerability allows a remote attacker to cause a denial of service DoS by providing specially crafted input that begins with a UTF-8 Byte Order Mark BOM. When a decode filter callback encounters an error with...

CVE-2026-9516

CVE-2026-9516 affects Cpanel::JSON::XS for Perl prior to 4.41. A UTF-8 BOM prefixed input with a throwing decode filter callback can cause the decoder to skip restoration of the input pointer, leaving the scalar with an offset pointer. When the scalar is freed, the allocator may receive an invali...

PT-2026-45892

Name of the Vulnerable Software and Affected Versions Cpanel::JSON::XS versions prior to 4.41 Description An issue exists where providing input prefixed with a UTF-8 Byte Order Mark BOM can lead to a denial of service. When the decode json function processes a 3-byte UTF-8 BOM, it advances the...

USN-7972-2 opencc vulnerability

USN-7972-1 fixed a vulnerability in OpenCC. This update provides the corresponding update for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. Original advisory details: It was discovered that OpenCC incorrectly handled truncated UTF-8 input. An attacker could possibly use this issue to cause OpenCC to...

USN-7972-2: OpenCC vulnerability

USN-7972-1 fixed a vulnerability in OpenCC. This update provides the corresponding update for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. Original advisory details: It was discovered that OpenCC incorrectly handled truncated UTF-8 input. An attacker could possibly use this issue to cause OpenCC to...

OESA-2026-2450 vim security update

Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor 'Vi', with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems. Securi...

CVE-2026-45130

A flaw was found in Vim, an open-source command-line text editor. A heap buffer overflow exists in the readcompound function when processing a specially crafted spell file .spl with UTF-8 encoding active. A remote attacker could exploit this by convincing a user to open a text file containing a...

CLSA-2026-1779369819 Fix CVE(s): CVE-2026-40686, CVE-2026-40687

SECURITY UPDATE: heap read out-of-bounds in UTF-8 expansion - debian/patches/CVE-2026-40686.patch: harden $fromutf8: expansion operator against malformed UTF-8 trailing bytes. - CVE-2026-40686 SECURITY UPDATE: SPA authenticator buffer hardening - debian/patches/CVE-2026-40687.patch: zero...

Node.js: Memory Corruption via TOCTOU Race in SharedArrayBuffer UTF-8 Decode (`StringBytes::Encode`)

I discovered a memory corruption vulnerability in Node.js's native UTF-8 string decoding path src/stringbytes.cc. When Buffer.prototype.toString'utf8' is called on a Buffer backed by a SharedArrayBuffer, the underlying native code performs a validate-then-convert sequence without copying the data...

Astra Linux - уязвимость в libtomcrypt

In LibTomCrypt version 1.18.2, the derdecodeutf8string function located in derdecodeutf8string.c does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service such as out-of-bounds reads and crashes or to read information from other...

Astra Linux - уязвимость в pcre2

A out-of-bounds read was discovered in PCRE before version 10.34, where the pattern \X was JIT-compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, as it could allow an attacker to cause the...

Astra Linux - уязвимость в screen

In GNU Screen’s encoding.c file, as of version 4.8.0, remote attackers can cause a denial of service attack invalid write access and application crash, or potentially cause unspecified other impacts due to a crafted UTF-8 character sequence...

Astra Linux - уязвимость в firefox, thunderbird, expat, libxmltok

In xmltokimpl.c within Expat also known as libexpat, before version 2.4.5, there was no proper validation of encoding. This meant that there were no checks to determine whether a UTF-8 character was valid in a particular context...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fixed a potential out-of-bounds write issue in getfileallinfo for compound requests. When a compound request consists of QUERYDIRECTORY + QUERYINFO FILEALLINFORMATION, and the first command consumes nearly the entire...

CVE-2026-42327

A flaw was found in rust-openssl, a library providing OpenSSL bindings for the Rust programming language. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate. This certificate, containing non-UTF-8 characters in its OCSP Online Certificate Status...

CLSA-2026-1779130441 vim: Fix of 3 CVEs

CVE-2022-0261: fix heap-based buffer overflow in blockinsert in src/ops.c - CVE-2022-0318: fix heap-based buffer overflow in utfheadoff in mbyte.c - CVE-2022-3520: clamp bopend.col = 0 in doput to prevent Visual block put underflow...

CLSA-2026-1779129979 vim: Fix of 3 CVEs

CVE-2022-0261: fix heap-based buffer overflow in blockinsert in src/ops.c - CVE-2022-0318: fix heap-based buffer overflow in utfheadoff in mbyte.c - CVE-2022-3520: clamp bopend.col = 0 in doput to prevent Visual block put underflow...

Linux Distros Unpatched Vulnerability : CVE-2026-42327

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.7 to before 0.10.79, X509Ref::ocspresponders returns OCSP responder URLs from...