162 matches found
Astra Linux – Vulnerability in libzstd
Starting from v1.4.1 and before v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and immediately restricted those permissions afterward. As a result, the output files could temporarily be readable or writable by...
EUVD-2026-36494
Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the DelegatingDecompressorFrameListener class orchestrates HTTP/2 decompression by embedding a per-stream EmbeddedChannel that runs the...
netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression
A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli br, Zstandard zstd, or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an...
netty: io.netty/netty-codec-http: io.netty/netty-codec-http2: Netty: Denial of Service via unbounded memory allocation in HTTP content decompression
A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli br, Zstandard zstd, or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an...
CVE-2026-42587
A flaw was found in Netty. A remote attacker can bypass the configured decompression limit in the HttpContentDecompressor by sending a specially crafted compressed payload using Brotli br, Zstandard zstd, or Snappy content encodings. This can lead to unbounded memory allocation, resulting in an...
Astra Linux - уязвимость в libzstd
In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. The correct file permissions matching the input would only be set at the time of completion. As a result, output files could be readable or writable by unintended parties...
MGASA-2026-0144 Updated dpkg packages fix security vulnerabilities
It was discovered that dpkg-deb a component of dpkg, the Debian package management system does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service infinite loop spinning the CPU...
Updated dpkg packages fix security vulnerabilities
It was discovered that dpkg-deb a component of dpkg, the Debian package management system does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service infinite loop spinning the CPU...
SUSE CVE-2026-42587
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...
Linux Distros Unpatched Vulnerability : CVE-2026-42587
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation...
CVE-2026-42587
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...
CVE-2026-42587 Netty: HttpContentDecompressor maxAllocation bypass via Content-Encoding: br/zstd/snappy enables decompression bomb DoS
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate...
Unity Linux 20.1060e / 20.1070e Security Update: zstd (UTSA-2026-017635)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017635 advisory. Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permission...
Ubuntu 24.04 LTS / 25.10 : dpkg vulnerability (USN-8249-1)
The remote Ubuntu 24.04 LTS / 25.10 host has packages installed that are affected by a vulnerability as referenced in the USN-8249-1 advisory. Yashashree Gund discovered that the dpkg dpkg-deb tool incorrectly handled certain zstd-compressed .deb archives. If a user or automated system were trick...
USN-8249-1: dpkg vulnerability
Yashashree Gund discovered that the dpkg dpkg-deb tool incorrectly handled certain zstd-compressed .deb archives. If a user or automated system were tricked into manipulating a specially crafted .deb archive, a remote attacker could possibly use this issue to cause dpkg-deb to stop responding,...
USN-8249-1 dpkg vulnerability
Yashashree Gund discovered that the dpkg dpkg-deb tool incorrectly handled certain zstd-compressed .deb archives. If a user or automated system were tricked into manipulating a specially crafted .deb archive, a remote attacker could possibly use this issue to cause dpkg-deb to stop responding,...
Improper Handling of Highly Compressed Data (Data Amplification)
Overview io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework. Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification in the HttpContentDecompressor and...
Improper Handling of Highly Compressed Data (Data Amplification)
Overview Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification in the HttpContentDecompressor and DelegatingDecompressorFrameListener components when the Content-Encoding header is set to br, zstd, or snappy. An attacker can exhaust...
GHSA-F6HV-JMP6-3VWV Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS
Summary HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br Brotli, zstd, or...
Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS
Summary HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br Brotli, zstd, or...