6578 matches found
FreeBSD -- Arm CPU errata may bypass page table permission changes
Problem Description: Some Arm CPUs have errata where the ordering of stores and the TLBI+DSB sequence may be incorrect. If one CPU stores to a virtual address while another CPU invalidates the translation for that address, the second CPU's TLBI+DSB may complete before the first CPU's store has be...
FreeBSD -- Arbitrary file overwrite via the KTLS receive path
Problem Description: The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile2, which can reference file-backed memory directly through non-anonymous...
FreeBSD -- Missing permission check in thr_kill2(2)
Problem Description: When used to deliver a signal to a specific thread, thrkill22 called pcansignal to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the...
FreeBSD -- Multiple vulnerabilities in OpenSSL
Problem Description: Multiple issues have been reported as part of this advisory with different issues affecting different OpenSSL versions and therefore different FreeBSD versions. Instead of exhaustively listing detailed writeups for each issue, please see the referenced advisory from OpenSSL...
OpenSSL -- Multiple vulnerabilities
The OpenSSL project reports: Eighteen vulnerabilities in OpenSSL library. Highest classification High...
FreeBSD -- Flaw in Linuxulator execution of setugid binaries
Problem Description: The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the PSUGID process flag. During execve2, this flag is not yet set at the point where the auxiliary vector is constructed, so ATSECURE was incorrectly set to zero for set-user-ID and...
Elixir -- Denial of service via unbounded integer parsing in Version
PJUllrich reports: The Version module parses numeric version components without length limits. Untrusted input can trigger creation of arbitrary-precision integers, causing CPU and memory exhaustion...
FreeBSD -- Insufficient response validation in the ldns stub resolver
Problem Description: When used as a stub resolver over UDP, ldns failed to verify that a received response belonged to the outstanding query. It did not check that the response source address and port matched the query destination, that the transaction ID matched, or that the question section of...
FreeBSD -- Integer overflow in vt(4) CONS_HISTORY ioctl
Problem Description: The CONSHISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the buffer wrote beyond the end of...
FreeBSD -- Multiple vulnerabilities in unbound
Problem Description: Multiple vulnerabilities have been reported in Unbound. Instead of listing detailed writeups for each issue, please see the upstream advisories referenced below. CVE-2026-32792: Packet of death with DNSCrypt CVE-2026-33278: Possible remote code execution during DNSSEC...
FreeBSD -- Use-after-free bug in the IPV6_MSFILTER socket option handler
Problem Description: The kernel handler for IPV6MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed...
FreeBSD -- Multiple vulnerabilities in the sound(4) mmap path
Problem Description: The sound4 driver contained two memory-safety errors in its mmap2 support. First, dspmmapsingle validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length...
Elixir -- Denial of service via unbounded integer parsing in Version
PJUllrich reports: The Version module parses numeric version components without length limits. Untrusted input can trigger creation of arbitrary-precision integers, causing CPU and memory exhaustion...
Routinator -- CWE-20 Improper Input Validation
https://www.nlnetlabs.nl/downloads/routinator/CVE-2026-49234.txt reports: When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes. This only affects users who allow API access from untrusted networks. Thanks to X41 D-S...
chromium -- security fixes
Chrome Releases reports: This update includes 74 security fixes: 516501794 Critical CVE-2026-11628: Use after free in Ozone. 516674532 Critical CVE-2026-11629: Use after free in Ozone. 516677924 Critical CVE-2026-11630: Use after free in File Input. 516691130 Critical CVE-2026-11631: Use after fr...
Routinator -- CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
https://www.nlnetlabs.nl/downloads/routinator/CVE-2026-49233.txt reports: Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potential...
Routinator -- CWE-755 Improper Handling of Exceptional Conditions
https://www.nlnetlabs.nl/downloads/routinator/CVE-2026-49232.txt reports: Routinator exits on any error when accepting incoming HTTP or RTR connections, including ones it can recover from such as running out of file descriptors. This condition can be triggered maliciously by an attacker by openin...
strongSwan -- Double-free when destroying certain cloned identities that can lead to remote code execution
R. Elliott Childre reports: The clone method of the identificationt class doesn't correctly handle identities that have an empty but non-NULL encoding. Both objects will point to the same location, resulting in a double-free once the second object is destroyed. This can lead to a crash and could...
Routinator -- CWE-755 Improper Handling of Exceptional Conditions
https://www.nlnetlabs.nl/downloads/routinator/CVE-2026-49235.txt reports: When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes. Thanks to X41 D-Sec GmbH for reporting the vulnerability...
caddy -- multiple vulnerabilities
Caddy project reports: Caddy 2.11.4 contains multiple security fixes. GitHub Security Advisory GHSA-qrp7-cvwr-j2c6 reports: Windows-encoded backslashes in request paths could bypass path-scoped authorization rules before files are served by fileserver. GitHub Security Advisory GHSA-f59h-q822-g45g...
Apache httpd -- Multiple vulnerabilities
The Apache httpd project reports: See links for details...
p5-ack -- Multiple issues
Ack project reports: CVE-2026-49147: filename ANSI escape sequences CVE-2026-49146: project .ackrc -A -B -C memory exhaustion CVE-2026-49145: project .ackrc --follow / --files-from file exfiltration...
Weechat -- Multiple vulnerabilities
The Weechat project reports: See links for detail...
traefik -- Multiple vulnerabilities
The traefik project releases a new version addressing multiple CVEs: CVE-2026-48020 StripPrefix Route-Level Auth Bypass CVE-2026-48491 SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case...
h2o -- HTTP/2 state amplification denial of service
h2o project reports: An HTTP/2 attack can combine HPACK decompression state amplification with stalled streams. Depending on server configuration, decoded header state can be retained by stalled streams, causing excessive memory use and denial of service...
Apache httpd -- DoS exploit in HTTP/2
Calif security reports: Remote DoS in modhttp2...
xwayland -- Multiple vulnerabilities
X.Org project reports: Multiple issues have been found in the X server and Xwayland implementations published by X.Org for which we are releasing security fixes for in xorg-server-21.1.23 and xwayland-24.1.12...
xorg-server -- Multiple vulnerabilities
X.Org project reports: Multiple issues have been found in the X server and Xwayland implementations published by X.Org for which we are releasing security fixes for in xorg-server-21.1.23 and xwayland-24.1.12...
Weechat -- Multiple vulnerabilities
The Weechat project reports: See links for detail...
h2o -- stack overflow serving static files on musl libc
h2o project reports: When serving static files, h2o can allocate a file path on the stack using alloca. On systems using musl libc, a large allocation can exceed the default pthread stack size and crash the server, causing a denial of service...
h2o -- heap overrun parsing zero-length SNI
h2o project reports: When h2o receives a TLS or QUIC ClientHello containing a zero-length SNI extension, it can overrun the zero-length hostname while copying it. This can trigger a segmentation fault and cause a denial of service...
mail/mailpit -- memory-exhaustion DoS via unbounded JSON body
Mailpit author reports: Sibling-endpoint memory-exhaustion DoS via unbounded JSON body on /api/v1/messages, /api/v1/tags, and /api/v1/message/id/release...
MariaDB -- Multiple vulnerabilities
The MariaDB project reports: Multiple vulnerabilities in MariaDB Cluster Galera...
Erlang/OTP -- public_key accepts non-CA certificate as intermediate issuer
https://github.com/erlang/otp/security/advisories/GHSA-c99q-jmpx-v8qq reports: Erlang/OTP's publickey application contains a path-validation flaw where non-CA certificates lacking keyUsage extensions can be accepted as intermediate issuers. An attacker with an end-entity certificate issued by a...
Erlang/OTP -- TLS hostname verification bypass via Subject CommonName fallback and name constraints
https://github.com/erlang/otp/security/advisories/GHSA-22cw-4ph4-6447 reports: Erlang/OTP's TLS hostname verification implements a legacy RFC 6125 fallback that checks the Subject CommonName when the Subject Alternative Name SAN extension is absent, rather than following RFC 9525 which requires...
Gitlab -- vulnerabilities
Gitlab reports: Improper Access Control issue in Duo AI workflow runners impacts GitLab EE Denial of Service issue in Wiki impacts GitLab CE/EE Incorrect Authorization issue in GraphQL WorkItem API impacts GitLab CE/EE Improper Authorization issue in Duo Workflows API impacts GitLab EE Missing...
Erlang/OTP -- OCSP responder certificate accepted after expiry in public_key
https://github.com/erlang/otp/security/advisories/GHSA-cjxj-wj6x-3fff reports: Erlang/OTP's publickey application fails to validate the validity period of OCSP responder certificates during response verification. An attacker possessing an expired OCSP responder's private key can forge responses...
chromium -- security fixes
Chrome Releases reports: This update includes 151 security fixes: 505077859 Critical CVE-2026-9872: Out of bounds write in GPU. 507365348 Critical CVE-2026-9873: Use after free in Network. 500609038 Critical CVE-2026-9874: Use after free in Dawn. 507508103 Critical CVE-2026-9875: Out of bounds re...
OpenEXR -- 3.4.12 fixes multiple vulnerabilities
Cary Phillips reports: The OpenEXR 3.4.12 release addresses the following security vulnerabilities: CVE-2026-45696 OpenEXR htundoimpl heap-buffer-overflow READ via codestream/channel width mismatch in HTJ2K decode CVE-2026-44663 Integer overflow in HTJ2K decoder htundoimpl leading to...
jellyfin -- multiple vulnerabilities
The Jellyfin project reports: Jellyfin Server 10.11.10 fixes three security vulnerabilities: GHSA-f47c-m7gr-q92j: details pending disclosure GHSA-jg92-mrxq-vv75: details pending disclosure GHSA-wwwm-px48-fpvq: details pending disclosure...
Roundcube Webmail -- Multiple vulnerabilities
The Roundcube Webmail project reports: See link for details. No CVE numbers available at the moment...
nginx -- heap buffer overflow in ngx_http_rewrite_module
The nginx developers report: A heap memory buffer overflow might occur in a worker process when using a configuration with overlapping captures in ngxhttprewritemodule, potentially resulting in arbitrary code execution CVE-2026-9256...
putty -- multiple security vulnerabilities
Simon Tatham reports: These features are new in PuTTY 0.84: Security issue: fixed a remotely triggerable double-free in RSA key exchange. We don't know of any way it is exploitable to execute code. Minor security issue: fixed a remotely triggerable crash in NIST ECDSA signature verification. An...
gitea -- multiple vulnerabilities
The Gitea team reports: CVE-2026-27783: incorrect read permission check CVE-2026-25714: public-only token filtering bypass CVE-2026-20706: missing token scope checking CVE-2026-27771: unauthenticated access to private container images CVE-2026-28744: git smart HTTP request scope bug CVE-2026-2869...
FreeBSD -- Missing validation in ptrace(PT_SC_REMOTE)
Problem Description: ptracePTSCREMOTE failed to properly validate parameters for the syscall2 and syscall2 meta-system calls. As a result, a user with the ability to debug a process may trigger arbitrary code execution in the kernel, even if the target process has no special privileges. Impact: T...
FreeBSD -- Stack buffer overflow via setcred(2)
Problem Description: The setcred2 system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied li...
PowerDNS -- Multiple vulnerabilities
PowerDNS Team reports: 2025-07: Internal logic flaw in cache management can lead to a denial of service in Recursor When using views, queries sent using TCP Proxy Protocol will select the view according to the address of the proxy, rather than the address of the initial query. This can lead to...
FreeBSD -- Kernel use-after-free via file descriptor syscalls
Problem Description: A file descriptor can be closed while a thread is blocked in a poll2 or select2 call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked...
FreeBSD -- Incorrect libcap_net limitation list manipulation
Problem Description: In the case of the capnet service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected. Impact: In certain scenarios, an application that had previously restricted a subset of network...
FreeBSD -- select(2) file descriptor set overflow causes stack overflow
Problem Description: libcasper3 communicates with helper processes via UNIX domain sockets, and uses the select2 system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select2's descriptor set size limit of FDSETSIZE 1024. Impact: An...