Security advisories
80 advisories affecting the catalog, most severe first.
Showing 80 advisories.
No advisories match this filter.
| Severity | Advisory | Affected packages | Status |
|---|---|---|---|
| Critical: 9.1 | Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perl_study_chunk. When such branches are combined into a trie, the delta between the first branch and the shared tail is stored in a 16-bit field. A branch count above 65535 overflows the field, and the trie's match decision table is truncated with no warning or error. A pattern of this shape produces false positive matches (matching strings it should not) and false negative matches (failing to match strings it should). When such a pattern gates an access or filtering decision, the result is wrong. | perl | Under investigation |
| Critical: 9.8 | scanf %mc off-by-one heap buffer overflow | glibc | Under investigation |
| High: 8.4 | Perl versions through 5.43.10 have an integer overflow in S_measure_struct leading to an out-of-bounds heap read in pack and unpack. S_measure_struct adds each item's size times its repeat count to a running total with no overflow check, so a large repeat count in a pack or unpack template wraps the signed SSize_t total negative. The @, X, and x position codes then guard their moves with a signed length comparison that passes when the length is negative, advancing the buffer pointer out of bounds. A template derived from untrusted input can read heap memory past the buffer and return it to the caller. | perl | Under investigation |
| High | Incremental HTMLParser feed() allows CPU-exhaustion DoS via repeated unterminated markup declarations | python | Under investigation |
| High | GNU Wget 1.25.0 Heap Buffer Underread via Metalink URL Parsing | wget | Under investigation |
| High: 7.0 | Off-by-one stack buffer overflow in dnsname_to_labels via crafted DNS server response | libevent | Resolved |
| High: 8.4 | Heap out-of-bounds write in bufferevent_socket_set_conn_address_ reachable via AF_UNIX accept | libevent | Resolved |
| High: 7.5 | GNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reuse of shared global state between different decompression formats within a single execution. GNU gzip maintains a global array that is shared across the LZ77, LZW, and LZH decompression routines and is not reinitialized between files processed in the same invocation. By decompressing a specially crafted LZW file followed by a specially crafted LZH file in a single gzip -d command, an attacker can poison the shared global state and subsequently trigger an out‑of‑bounds read in the LZH decoder. The LZH decompression logic follows stale values left in the shared array, causing reads past the end of the allocated global buffer. This issue has been fixed in the commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681 | gzip | Under investigation |
| High | tarfile opened in streaming mode mishandles EOF | python | Under investigation |
| High | tarfile extraction filter bypass allows escaping the destination directory | python | Under investigation |
| High: 7.3 | Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds | perl | Under investigation |
| High: 7.3 | The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records. | glibc | Under investigation |
| High: 7.5 | Potential buffer under-read in ungetwc | glibc | Under investigation |
| High: 7.5 | CVE-2026-6069 | nasm | Affected |
| High: 7.5 | CVE-2026-6067 | nasm | Affected |
| High: 7.5 | iconv crash due to assertion failure with untrusted input | glibc | Under investigation |
| High: 7.5 | gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response | glibc | Under investigation |
| High | Heap-buffer-overflow in pcre2_compile_32 | pcre2 | Fix unavailable |
| High | Heap-buffer-overflow in opj_j2k_read_tile_header | openjpeg | Affected |
| High | Heap-buffer-overflow in btf_ensure_modifiable | libbpf | Under investigation |
| High | Heap-buffer-overflow in opj_jp2_apply_pclr | opencv | Under investigation |
| High: 7.5 | slim has NULL pointer dereference when using crypt() method from glibc 2.17 | glibc | Affected |
| Medium: 5.5 | GNU patch is vulnerable to a denial of service (DoS) due to improper validation of hunk (single block of changes in diff) line offsets in unified-diff input. A specially crafted patch can specify an extremely large line number, causing the application to enter an effectively infinite processing loop while attempting to locate the requested position. This results in excessive CPU consumption and prevents the process from completing. An attacker can trigger this behavior by supplying a malicious patch file, causing the utility to become unresponsive and require manual termination. This issue has been fixed in the commit faba04ef4f2b410257f76c1b9dc85e350929c4b9 | patch | Under investigation |
| Medium: 5.5 | GNU patch is vulnerable to a NULL pointer dereference when processing a specially crafted unified-diff patch file. Improper handling of consecutive end-of-file newline markers can corrupt internal hunk (single block of changes in diff) data structures, causing the application to pass a NULL pointer to fwrite() during patch processing. An attacker can trigger this condition with a malicious patch file, causing the utility to crash and resulting in a denial of service. This issue has been fixed in the commit e6d6a4e021660679d7fc9150f981d4920f722313 | patch | Under investigation |
| Medium | GNU Wget 1.25.0 Heap Buffer Overflow via HTML Attribute Encoding | wget | Under investigation |
| Medium | GNU Wget 1.25.0 Heap Buffer Overflow via convert_fname() in url.c | wget | Under investigation |
| Medium | GNU Wget 1.25.0 Integer Overflow via Content-Range Header Parsing | wget | Under investigation |
| Medium: 4.7 | GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite. This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269 | gzip | Under investigation |
| Medium | nghttp2 nghttpx - HTTP Request/Response Smuggling via Upgrade Request with Content-Length | nghttp2 | Under investigation |
| Medium | Configuration Injection via Carriage Return (\r) in write() method | python | Under investigation |
| Medium: 6.7 | Stack buffer overflow in sample/http-server via unbounded Unix socket path (strcpy) | libevent | Resolved |
| Medium: 4.9 | No summary provided. | expat | Resolved |
| Medium: 6.9 | No summary provided. | expat | Resolved |
| Medium: 6.9 | No summary provided. | expat | Resolved |
| Medium: 6.5 | No summary provided. | expat | Resolved |
| Medium: 6.9 | No summary provided. | expat | Resolved |
| Medium: 6.9 | No summary provided. | expat | Resolved |
| Medium: 6.9 | No summary provided. | expat | Resolved |
| Medium: 6.9 | No summary provided. | expat | Resolved |
| Medium: 6.9 | No summary provided. | expat | Resolved |
| Medium: 6.9 | No summary provided. | expat | Resolved |
| Medium: 6.9 | No summary provided. | expat | Resolved |
| Medium: 4.9 | No summary provided. | expat | Resolved |
| Medium | CPython >3.11 Insecure Input Validation resulting in privilege escalation | python | Under investigation |
| Medium: 5.4 | LIBPNG: Chunk smuggling in push-mode APNG parser via unconsumed chunk body | libpng | Under investigation |
| Medium: 4.9 | No summary provided. | expat | Resolved |
| Medium: 4.6 | Terminal escape sequence injection via process argv[0] in InfoScreen_drawTitled() (mvaddstr) | htop | Under investigation |
| Medium: 5.5 | Unbounded VLA stack allocation in RichString_writeFromWide() causes denial of service via crafted process command line (ncursesw build) | htop | Under investigation |
| Medium: 6.5 | The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.0.1 to version 2.43 fail to validate the RDATA content against the RDATA length in a DNS response when processing A6, CERT, LOC, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory. These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions. | glibc | Under investigation |
| Medium: 6.1 | A flaw was found in GNU Emacs. This vulnerability, a memory corruption issue, occurs when Emacs processes specially crafted SVG (Scalable Vector Graphics) CSS (Cascading Style Sheets) data. A local user could exploit this by convincing a victim to open a malicious SVG file, which may lead to a denial of service (DoS) or potentially information disclosure. | emacs | Under investigation |
| Medium: 6.5 | CVE-2026-6068 | nasm | Affected |
| Medium: 5.4 | gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames | glibc | Under investigation |
| Medium | POP3 command injection in user-controlled commands | python | Under investigation |
| Medium | IMAP command injection in user-controlled commands | python | Under investigation |
| Medium: 6.6 | Heap-based Buffer Over-read in llama_model_load | llama.cpp | Under investigation |
| Medium: 5.5 | (1) core/tests/test_memmap.py, (2) core/tests/test_multiarray.py, (3) f2py/f2py2e.py, and (4) lib/tests/test_io.py in NumPy before 1.8.1 allow local users to write to arbitrary files via a symlink attack on a temporary file. | numpy | Resolved |
| Medium: 5.5 | __init__.py in f2py in NumPy before 1.8.1 allows local users to write to arbitrary files via a symlink attack on a temporary file. | numpy | Resolved |
| Low: 3.3 | Uncontrolled memory allocation in LIEF ELF Note parser (`Note::create`) | lief | Under investigation |
| Low | Tarfile.extract() doesn't fully respect filter parameter | python | Under investigation |
| Low | Stack-Based Buffer Overflow in libxml2 | libxml2 | Under investigation |
| Low: 3.3 | CUPS ipp backend status-line injection can update queue PPD and lead to conditional RCE as lp via foomatic-rip | cups | Under investigation |
| Low: 3.3 | Stack buffer underflow in InfoScreen_drawTitled() when terminal width is 2 columns or fewer | htop | Under investigation |
| Low: 2.9 | No summary provided. | expat | Resolved |
| Low | UNKNOWN READ in init_struct_ops_maps | libbpf | Under investigation |
| Low: 3.3 | A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution. | unzip | Under investigation |
| Unknown | Connection created for the wrong upstream for forward_auth + reverse_proxy | caddy | Under investigation |
| Unknown | HTTP Header smuggling | libevent | Resolved |
| Unknown | Dangling Pointer in `evbuffer_add_buffer_reference` | libevent | Resolved |
| Unknown | libevent evhttp: Multiple HTTP Parser Bugs Enable Request Smuggling | libevent | Resolved |
| Unknown | decode_tag_internal() can lead to out-of-bounds read | libevent | Resolved |
| Unknown | `evtag_unmarshal_header()` decodes a wire `uint32` length into a signed `int` return value. | libevent | Resolved |
| Unknown | HTTP header handling bugs create risk of access control bypass. | libevent | Resolved |
| Unknown | pcre2_serialize_encode() information disclosure | pcre2 | Under investigation |
| Unknown | Null-dereference READ in _libssh2_packet_add | libssh2 | Fix unavailable |
| Unknown | Null-dereference READ in session_startup | libssh2 | Affected |
| Unknown | Null-dereference READ in ubsan_GetStackTrace | libssh2 | Affected |
| Unknown | Null-dereference READ in _libssh2_packet_add | libssh2 | Affected |
| Unknown | UNKNOWN WRITE in regcomp | file | Resolved |
| Unknown | Incorrect-function-pointer-type in cv::split | opencv | Under investigation |
| Unknown | Null-dereference READ in session_startup | libssh2 | Affected |