CVE-2026-33905

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the -sample operation has an out of bounds read when an specific offset is set through the sample:offset define that could lead to an out of bounds read...

CVE-2026-33902

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a stack overflow vulnerability in ImageMagick's FX expression parser allows an attacker to crash the process by providing a deeply nested expression. This...

CVE-2026-33901

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image. This issue has been fixed in...

CVE-2026-33900

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a...

CVE-2026-33899

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-189 and 6.9.13-44, when Magick parses an XML file it is possible that a single zero byte is written out of the bounds. This issue has been fixed in versions 6.9.13-44 and 7.1.2-1...

CVE-2026-32316

jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvpstringappend and jvpstringcopyreplacebad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer...

CVE-2026-6100

Use-after-free UAF was possible in the lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile when a memory allocation fails with a MemoryError and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling...

CVE-2026-6192

A vulnerability was identified in uclouvain openjpeg up to 2.5.4. This impacts the function opjpiinitialiseencode in the library src/lib/openjp2/pi.c. The manipulation leads to integer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The...

CVE-2026-6231

The bsonvalidate function may return early on specific inputs and incorrectly report success. This behavior could result in skipping validation for BSON data, allowing malformed or invalid UTF-8 sequences to bypass validation and be processed incorrectly. The issue may affect applications that re...

CVE-2026-1462

A vulnerability in the TFSMLayer class of the keras package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of .keras models, even when safemode=True. This bypasses the security guarantees of safemode and enables arbitrary attacker-controlled...

CVE-2026-31427

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfconntracksip: fix use of uninitialized rtpaddr in processsdp processsdp declares union nfinetaddr rtpaddr on the stack and passes it to the nfnatsip sdpsession hook after walking the SDP media descriptions. However...

CVE-2026-31428

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlinklog: fix uninitialized padding leak in NFULAPAYLOAD buildpacketmessage manually constructs the NFULAPAYLOAD netlink attribute using skbput and skbcopybits, bypassing the standard nlareserve/nlaput helpers. Whi...

CVE-2026-31426

In the Linux kernel, the following vulnerability has been resolved: ACPI: EC: clean up handlers on probe failure in acpiecsetup When ecinstallhandlers returns -EPROBEDEFER on reduced-hardware platforms, it has already started the EC and installed the address space handler with the struct acpiec...

CVE-2026-31425

In the Linux kernel, the following vulnerability has been resolved: rds: ib: reject FRMR registration before IB connection is established rdsibgetmr extracts the rdsibconnection from conn-ctransportdata and passes it to rdsibregfrmr for FRWR memory registration. On a fresh outgoing connection, ic...

CVE-2026-31424

In the Linux kernel, the following vulnerability has been resolved: netfilter: xtables: restrict xtcheckmatch/xtchecktarget extensions for NFPROTOARP Weiming Shi says: xtmatch and xttarget structs registered with NFPROTOUNSPEC can be loaded by any protocol family through nftcompat. When such a...

CVE-2026-31423

In the Linux kernel, the following vulnerability has been resolved: net/sched: schhfsc: fix divide-by-zero in rtscmin m2sm converts a u32 slope to a u64 scaled value. For large inputs e.g. m1=4000000000, the result can reach 2^32. rtscmin stores the difference of two such u64 values in a u32...

CVE-2026-31422

In the Linux kernel, the following vulnerability has been resolved: net/sched: clsflow: fix NULL pointer dereference on shared blocks flowchange calls tcfblockq and dereferences q-handle to derive a default baseclass. Shared blocks leave block-q NULL, causing a NULL deref when a flow filter witho...

CVE-2026-31421

In the Linux kernel, the following vulnerability has been resolved: net/sched: clsfw: fix NULL pointer dereference on shared blocks The old-method path in fwclassify calls tcfblockq and dereferences q-handle. Shared blocks leave block-q NULL, causing a NULL deref when an empty clsfw filter is...

CVE-2026-31420

In the Linux kernel, the following vulnerability has been resolved: bridge: mrp: reject zero test interval to avoid OOM panic brmrpstarttest and brmrpstartintest accept the user-supplied interval value from netlink without validation. When interval is 0, usecstojiffies0 yields 0, causing the...

CVE-2026-31419

In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free in bondxmitbroadcast bondxmitbroadcast reuses the original skb for the last slave determined by bondislastslave and clones it for others. Concurrent slave enslave/release can mutate the slave list...

CVE-2026-31418

In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: drop logically empty buckets in mtypedel mtypedel counts empty slots below n-pos in k, but it only drops the bucket when both n-pos and k are zero. This misses buckets whose live entries have all been removed...

CVE-2026-31417

In the Linux kernel, the following vulnerability has been resolved: net/x25: Fix overflow when accumulating packets Add a check to ensure that x25sock.fraglen does not overflow. The fraglen also needs to be resetted when purging fragmentqueue in x25clearqueues...

CVE-2026-31415

In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid overflows in ip6datagramsendctl Yiming Qian reported : I believe I found a locally triggerable kernel bug in the IPv6 sendmsg ancillary-data path that can panic the kernel via skbunderpanic local DoS. The core issue i...

CVE-2026-31416

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlinklog: account for netlink header size This is a followup to an old bug fix: NLMSGDONE needs to account for the netlink header size, not just the attribute size. This can result in a WARN splat + drop of the...

CVE-2026-31414

In the Linux kernel, the following vulnerability has been resolved: netfilter: nfconntrackexpect: use expect-helper Use expect-helper in ctnetlink and /proc to dump the helper name. Using nfcthelp without holding a reference to the master conntrack is unsafe. Use exp-master-helper in ctnetlink pa...

CVE-2026-29628

A stack overflow in the experimental/tinyobjloaderopt.h file of tinyobjloader commit d56555b allows attackers to cause a Denial of Service DoS via supplying a crafted .mtl file...

CVE-2026-30997

An out-of-bounds read in the readglobalparam function libavcodec/av1dec.c of FFmpeg v8.0.1 allows attackers to cause a Denial of Service DoS via a crafted input...

CVE-2026-33555

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be...

CVE-2026-40396

Varnish Cache 9 before 9.0.1 allows a "workspace overflow" denial of service daemon panic after timeoutlinger. A malicious client could send an HTTP/1 request, wait long enough until the session releases its worker thread timeoutlinger and resume traffic before the session is closed timeoutidle...

CVE-2026-40395

Varnish Enterprise before 6.0.16r12 allows a "workspace overflow" denial of service daemon panic for shared VCL. The headerplus.writereq0 function from vmodheaderplus updates the underlying req0, which is normally the original read-only request from which req is derived readable and writable from...

CVE-2026-40394

Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a "workspace overflow" denial of service daemon panic for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is...

CVE-2026-40393

In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party, and is then used for alloca...

CVE-2026-40386

In libexif through 0.6.25, an integer underflow in size checking for Fuji and Olympus MakerNote decoding could be used by attackers to crash or leak information out of libexif-using programs...

CVE-2026-40385

In libexif through 0.6.25, an unsigned 32bit integer overflow in Nikon MakerNote handling could be used by local attackers to cause crashes or information leaks. This only affects 32bit systems...

CVE-2026-31413

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix unsound scalar forking in maybeforkscalars for BPFOR maybeforkscalars is called for both BPFAND and BPFOR when the source operand is a constant. When dst has signed range -1, 0, it forks the verifier state: the pushed pa...

CVE-2026-40354

Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on gfiletrash...

CVE-2026-4158

KeePassXC OpenSSL Configuration Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of KeePassXC. An attacker must first obtain the ability to execute low-privileged code on the targe...

CVE-2026-4154

GIMP XPM File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a...

CVE-2026-4153

GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page o...

CVE-2026-4152

GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page o...

CVE-2026-4151

GIMP ANI File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a...

CVE-2026-4150

GIMP PSD File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a...

CVE-2026-40199

Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass. packipv6 includes the sentinel byte from packipv4 when building the packed representation of IPv4 mapped addresses like ::ffff:192.168.1.1. This produces an 18 byte value instead of...

CVE-2026-40198

Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass. packipv6 does not check that uncompressed IPv6 addresses without :: have exactly 8 hex groups. Inputs like "abcd", "1:2:3", or "1:2:3:4:5:6:7" are accepted and produce packed values of...

CVE-2026-40194

phpseclib is a PHP secure communications library. Starting in 0.1.1 and prior to 3.0.51, 2.0.53, and 1.0.28, phpseclib\Net\SSH2::getbinarypacket uses PHP's != operator to compare a received SSH packet HMAC against the locally computed HMAC. != on equal-length binary strings in PHP uses memcmp,...

CVE-2026-40175

Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound requests. This...

CVE-2026-3446

When calling base64.b64decode or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use...

CVE-2026-1502

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host...

CVE-2026-40228

In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set...

CVE-2026-40023

Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx11xml11XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/charsets in log messages, NDC, and MDC property keys and values, producin...