Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via improper validation in the sanitizePath function. An attacker can access or modify files outside the intended directory boundary by crafting paths that bypass prefix-based checks. Details A Directory Traversal...

CVE-2026-35374

The CVE concerns the split utility of uutils coreutils, where a TOCTOU race exists between a path-based check and subsequent opening with truncation. An attacker with directory write access can swap path components (e.g., via a symlink) during the race, causing split to truncate and write to an u...

CVE-2026-35374

A Time-of-Check to Time-of-Use TOCTOU vulnerability exists in the split utility of uutils coreutils. The program attempts to prevent data loss by checking for identity between input and output files using their file paths before initiating the split operation. However, the utility subsequently...

CVE-2026-35356

A Time-of-Check to Time-of-Use TOCTOU vulnerability exists in the install utility of uutils coreutils when using the -D flag. The command creates parent directories and subsequently performs a second path resolution to create the target file, neither of which is anchored to a directory file...

CVE-2026-35356

CVE-2026-35356 describes a TOCTOU vulnerability in the install utility of the uutils coreutils when using -D. The process creates parent directories and then performs a second path resolution to create the target file, without anchoring to a directory file descriptor. A concurrent writer can repl...

CVE-2026-35355 uutils coreutils install Arbitrary File Overwrite via Symlink TOCTOU Race

The install utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use TOCTOU race condition during file installation. The implementation unlinks an existing destination file and then recreates it using a path-based operation without the OEXCL flag. A local attacker can exploit t...

CVE-2026-35354 uutils coreutils mv Security Xattr TOCTOU Race in Cross-Device

A Time-of-Check to Time-of-Use TOCTOU vulnerability exists in the mv utility of uutils coreutils during cross-device moves. The extended attribute xattr preservation logic uses multiple path-based system calls that perform fresh path-to-inode lookups for each operation. A local attacker with writ...

Exploit for Out-of-bounds Write in Google Chrome

all credit goes to DARKNAVY's scripthttps://gi...

EUVD-2026-24943

A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service...

EUVD-2026-24839

In the Linux kernel, the following vulnerability has been resolved: tracing: Fix potential deadlock in cpu hotplug with osnoise The following sequence may leads deadlock in cpu hotplug: task1 task2 task3 ----- ----- ----- mutexlock&interfacelock CPU GOING OFFLINE cpuswritelock; osnoisecpudie;...

EUVD-2026-24762

In the Linux kernel, the following vulnerability has been resolved: netfs: Fix NULL pointer dereference in netfsunbufferedwrite on retry When a write subrequest is marked NETFSSREQNEEDRETRY, the retry path in netfsunbufferedwrite unconditionally calls stream-preparewrite without checking if it is...

EUVD-2026-24736

A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the logsdir parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leading to...

GHSA-PQMG-C2J8-FQ92 InstructLab vulnerable to Path Traversal

A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the logsdir parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leading to...

GHSA-49VV-25QX-MG44 OpenRemote has Improper Access Control via updateUserRealmRoles function

Summary A user who has write:admin in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including master. The handler uses the realm path segment when talking to the identity provider but does not check that the caller may administer that realm...

CVE-2026-33602

A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service...

CVE-2026-31437

In the Linux kernel, the following vulnerability has been resolved: netfs: Fix NULL pointer dereference in netfsunbufferedwrite on retry When a write subrequest is marked NETFSSREQNEEDRETRY, the retry path in netfsunbufferedwrite unconditionally calls stream-preparewrite without checking if it is...

CVE-2026-31505

The CVE-2026-31505 issue affects the Linux kernel iavf driver: out-of-bounds writes occur because iavf_get_ethtool_stats() uses real_num_tx_queues for ETH_SS_STATS while other paths use num_tx_queues, enabling memory corruption when ethtool -L and ethtool -S run concurrently. The fix is to use im...

CVE-2026-31437 netfs: Fix NULL pointer dereference in netfs_unbuffered_write() on retry

In the Linux kernel, the following vulnerability has been resolved: netfs: Fix NULL pointer dereference in netfsunbufferedwrite on retry When a write subrequest is marked NETFSSREQNEEDRETRY, the retry path in netfsunbufferedwrite unconditionally calls stream-preparewrite without checking if it is...

CVE-2026-31437

The CVE-2026-31437 issue is in the Linux kernel netfs path: when a write subrequest is marked NETFS_SREQ_NEED_RETRY, netfs_unbuffered_write() could dereference stream->prepare_write if it is NULL (not all filesystems, e.g., 9P, set prepare_write). The fixed behavior mirrors write_retry.c: if s...

libpng: libpng: Information disclosure and denial of service via integer truncation in simplified write API

A flaw was found in libpng, a reference library for PNG Portable Network Graphics raster image files. An integer truncation vulnerability exists in the pngwriteimage16bit and pngwriteimage8bit simplified write API functions. A local attacker could exploit this flaw by providing a negative row...