EUVD-2026-38891

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: terminate the cached volume label after UTF-8 conversion ntfsfillsuper loads the on-disk volume label with utf16stoutf8s and stores the result in sbi-volume.label. The converted label is later exposed through...

UBUNTU-CVE-2026-54911

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps or ujson.dump or ujson.encode have a rejectbytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different...

CVE-2026-54911 UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps or ujson.dump or ujson.encode have a rejectbytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different...

FreeBSD : nginx -- multiple vulnerabilities (08b0c0f6-6a85-11f1-b8e5-3497f65b111b)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 08b0c0f6-6a85-11f1-b8e5-3497f65b111b advisory. The nginx developers report: A use-after-free vulnerability when using HTTP/3 and processing a...

GHSA-3J69-69WJ-XQX2 UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()

Summary ujson.dumps or ujson.dump or ujson.encode have a rejectbytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different Unicode characters instead of rejecting them. This leads to input validation bypass and data integrity...

Astra Linux – Vulnerability in libtomcrypt

In LibTomCrypt version 1.18.2, the derdecodeutf8string function located in derdecodeutf8string.c does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service such as out-of-bounds reads and crashes or to read information from other...

CVE-2026-48142

NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttpcharsetmodule module. When content is served or proxied through a location block with both sourcecharset utf-8; and a charset directive for example, charset koi8-r; configured, remote, unauthenticated attackers can send requests ...

SUSE SLED15 / SLES15 Security Update : perl-XML-LibXML (SUSE-SU-2026:2324-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2026:2324-1 advisory. This update for perl-XML-LibXML fixes the following issue - CVE-2026-8177: read out-of-bounds heap memory when parsing...

Linux Distros Unpatched Vulnerability : CVE-2026-44288

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted...

CVE-2026-49234

When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes. This only affects users who allow API access from untrusted networks...

Security update for perl-XML-LibXML

This update for perl-XML-LibXML fixes the following issue CVE-2026-8177: read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences bsc1264715. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST...

PT-2026-47777

Name of the Vulnerable Software and Affected Versions 389 Directory Server affected versions not specified Description A flaw exists in the ldap utf8prev function where bytes are read before the start of a buffer without proper bounds checking. This leads to a heap buffer over-read during string...

GHSA-GC6Q-CWCJ-3VH9 Routinator crashes when sending a maliciously crafted select-asn query parameter

When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes. This only affects users who allow API access from untrusted networks...

CVE-2026-49234

Routinator is affected by CVE-2026-49234 where sending a specifically crafted non-UTF-8 string as the select-asn parameter to the /api/v1/origins endpoint causes the application to crash. Affected component: the API handling for origins; root cause: non-UTF-8 string processing leads to a crash. I...

Medium: perl-XML-LibXML

Issue Overview: XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjace...

PT-2026-47303

Name of the Vulnerable Software and Affected Versions Routinator affected versions not specified Description Routinator crashes when a specifically crafted non-UTF-8 string is sent as the select-asn query parameter to the '/api/v1/origins' endpoint. This issue specifically impacts users who permi...

Medium: perl-XML-LibXML

Issue Overview: XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjace...

Amazon Linux 2 : perl-XML-LibXML, --advisory ALAS2-2026-3342 (ALAS-2026-3342)

The version of perl-XML-LibXML installed on the remote host is prior to 2.0018-5. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3342 advisory. XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncat...

CVE-2026-8177

XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory...

CVE-2026-44288

A flaw was found in protobufjs, a library that compiles protobuf definitions into JavaScript functions. An attacker who can provide specially crafted protobuf binary data containing overlong UTF-8 Unicode Transformation Format - 8-bit byte sequences may be able to bypass application-level checks...