CVE-2026-47770

jq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C stack on jq's ordinary command-line surface, resulting in denial of service via stack exhaustion uncontrolled recursion. The crash occurs in jq's recursive...

CVE-2026-49839

jq is a command-line JSON processor. Prior to 1.8.2, jq --rawfile can turn a handled oversized-string error into invalid-state reuse and a real heap out-of-bounds write in assertion-disabled builds. When jvloadfileraw=1 reads an attacker-controlled file, it repeatedly appends file chunks to the...

CVE-2026-12844

List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function. pairwise collects the values returned by the block into a heap buffer sized to the longer input array, then grows the buffer before each copy with a single quadrupling alloc = 2 instead of a...

CVE-2026-42389

This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers...

CVE-2026-52690

Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail...

CVE-2026-42390

An invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation...

CVE-2026-42388

Incomplete validation of the SOA record present in a catalog zone might lead to a crash...

CVE-2026-42387

A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation...

CVE-2026-40012

ECS zero scoped answers are stored in the packet cache while they should not. This impacts only configurations that have ECS enabled;...

CVE-2026-33612

A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning...

CVE-2026-42004

An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist’s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS options that DNSdist did not filter...

CVE-2026-40211

An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memo...

CVE-2026-40210

An out-of-bounds read might happen when SetMacAddrAction is used, potentially resulting in uninitialized memory being sent over the network or a crash...

CVE-2026-40209

An attacker might be able to cause outgoing TCP connections to backend to be stuck until a timeout occurs instead of being released immediately, by sending IXFR queries. This could be used to cause a denial of service if there is a limit to the number of concurrent connections to this backend, or...

CVE-2026-40208

An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame...

CVE-2026-40011

An attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be rejected by the scraper until the dynamic block expires...

CVE-2026-42005

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default...

CVE-2026-53277

KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation...

CVE-2026-53276

Bluetooth: ISO: Fix a use-after-free of the hciconn pointer...

CVE-2026-53275

ipv6: mcast: Fix use-after-free when processing MLD queries...

CVE-2026-53274

net/smc: fix sleep-inside-lock in smcsetsockopt causing local DoS...

CVE-2026-53273

tee: optee: prevent use-after-free when the client exits before the supplicant...

CVE-2026-53272

erofs: fix use-after-free on sbi-syncdecompress...

CVE-2026-53271

ksmbd: fix NULL-deref of opinfo-conn in oplock/lease break notifiers...

CVE-2026-53269

netfilter: synproxy: add mutex to guard hook reference counting...

CVE-2026-53270

ipvs: clear the svc scheduler ptr early on edit...

CVE-2026-53268

netfilter: conntrackirc: fix possible out-of-bounds read...

CVE-2026-53266

netfilter: bridge: make ebtsnat ARP rewrite writable...

CVE-2026-53267

netfilter: nftct: bail out on template ct in get eval...

CVE-2026-53265

dm cache policy smq: check allocation under invalidate lock...

CVE-2026-53263

6lowpan: fix off-by-one in multicast context address compression...

CVE-2026-53264

net/sched: actapi: use RCU with deferred freeing for action lifecycle...

CVE-2026-53262

l2tp: pppol2tp: hold reference to session in pppol2tpioctl...

CVE-2026-53260

tcp: Add preemptdisable,enablenested in reqskqueuehashreq...

CVE-2026-53261

devlink: Release nested relation on devlink free...

CVE-2026-53259

ipv6: anycast: insert aca into global hash under idev-lock...

CVE-2026-53258

wifi: fix leak if split 6 GHz scanning fails...

CVE-2026-53257

wifi: cfg80211: enforce HE/EHT cap/oper consistency...

CVE-2026-53256

Bluetooth: RFCOMM: hold listener socket in rfcommconnectind...

CVE-2026-53254

Bluetooth: RFCOMM: validate skb length in MCC handlers...

CVE-2026-53255

Bluetooth: MGMT: validate advertising TLV before type checks...

CVE-2026-53253

Bluetooth: bnep: reject short frames before parsing...

CVE-2026-53252

Bluetooth: fix memory leak in error path of hciallocdev...

CVE-2026-53251

Bluetooth: ISO: Fix not releasing hdev reference on isoconnbigsync...

CVE-2026-53250

xsk: cache csumstart/csumoffset to fix TOCTOU in xskskbmetadata...

CVE-2026-53248

net: airoha: Fix use-after-free in metadata dst teardown...

CVE-2026-53249

ipv4: restrict IPOPTSSRR and IPOPTLSRR options...

CVE-2026-53247

net: ethernet: mtkethsoc: Fix use-after-free in metadata dst teardown...

CVE-2026-53245

net/802/mrp: fix vector attribute parsing in mrppduparsevecattr...

CVE-2026-53246

sctp: validate cached peer INIT chunk length in COOKIEECHO processing...