Common Weakness Enumeration

CWE-440

Allowed

Expected Behavior Violation

Abstraction: Base · Status: Draft

A feature, API, or function does not perform according to its specification.

79 vulnerabilities reference this CWE, most recent first.

GHSA-R99V-75P9-XQM5

Vulnerability from github – Published: 2026-04-22 19:54 – Updated: 2026-04-27 16:34
VLAI
Summary
free5GC AMF: Missing default case in Content-Type switch in HTTPUEContextTransfer
Details

Summary

The HTTPUEContextTransfer handler in internal/sbi/api_communication.go does not include a default case in the Content-Type switch statement. When a request arrives with an unsupported Content-Type, the deserialization step is silently skipped, err remains nil, and the processor is invoked with a completely uninitialized UeContextTransferRequest object.

Details

In internal/sbi/api_communication.go, the HTTPUEContextTransfer function handles the Content-Type header with a switch statement that only covers application/json and multipart/related:

switch str[0] {
case applicationjson:
    err = openapi.Deserialize(ueContextTransferRequest.JsonData, requestBody, contentType)
case multipartrelate:
    err = openapi.Deserialize(&ueContextTransferRequest, requestBody, contentType)
// no default case
}

if err != nil {
    // skipped entirely when Content-Type is unsupported
    c.JSON(http.StatusBadRequest, rsp)
    return
}

s.Processor().HandleUEContextTransferRequest(c, ueContextTransferRequest)

This is inconsistent with the two analogous handlers in the same file, HTTPCreateUEContext and HTTPN1N2MessageTransfer, which both correctly include a default branch:

default:
    err = fmt.Errorf("wrong content type")

The fix is simply to add the same default case to HTTPUEContextTransfer.

PoC

With a free5GC deployment running, send a POST request to the UE context transfer endpoint using any unsupported Content-Type (e.g. text/plain):

curl -s -X POST "http://<AMF_IP>/namf-comm/v1/ue-contexts/<ueContextId>/transfer" \\
  -H "Content-Type: text/plain" \\
  -d '{"test":"data"}' \\
  -i

Expected (correct) behavior: 400 Bad Request from the SBI layer, rejecting the request due to unsupported Content-Type — consistent with HTTPCreateUEContext.

Actual (observed) behavior: The SBI-layer error check is bypassed and the processor is reached with an empty request object, returning:

HTTP/1.1 400 Bad Request
{"status": 400, "cause": "MANDATORY_IE_MISSING"}

The MANDATORY_IE_MISSING cause originates from the processor's internal validation, not from the SBI handler — confirming the processor was called with an uninitialized struct.

Impact

The endpoint is an inter-NF SBI API used during AMF-to-AMF UE context handover. It is not directly reachable from external UEs and requires access to the internal 5GC SBI network. The processor's secondary mandatory field validation prevents any unintended state modification, so there is no direct exploitability. However, the SBI handler layer is the intended first line of defense — relying on the processor to compensate for a missing input check increases fragility and violates defense in depth. Any future change to the processor's validation logic could inadvertently expose the system to processing completely empty request objects.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/free5gc/amf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41136"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-22T19:54:54Z",
    "nvd_published_at": "2026-04-22T00:16:29Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `HTTPUEContextTransfer` handler in `internal/sbi/api_communication.go` does not include a `default` case in the `Content-Type` switch statement. When a request arrives with an unsupported `Content-Type`, the deserialization step is silently skipped, `err` remains `nil`, and the processor is invoked with a completely uninitialized `UeContextTransferRequest` object.\n\n## Details\n\nIn `internal/sbi/api_communication.go`, the `HTTPUEContextTransfer` function handles the `Content-Type` header with a switch statement that only covers `application/json` and `multipart/related`:\n\n```go\nswitch str[0] {\ncase applicationjson:\n    err = openapi.Deserialize(ueContextTransferRequest.JsonData, requestBody, contentType)\ncase multipartrelate:\n    err = openapi.Deserialize(\u0026ueContextTransferRequest, requestBody, contentType)\n// no default case\n}\n\nif err != nil {\n    // skipped entirely when Content-Type is unsupported\n    c.JSON(http.StatusBadRequest, rsp)\n    return\n}\n\ns.Processor().HandleUEContextTransferRequest(c, ueContextTransferRequest)\n```\n\nThis is inconsistent with the two analogous handlers in the same file, `HTTPCreateUEContext` and `HTTPN1N2MessageTransfer`, which both correctly include a `default` branch:\n\n```go\ndefault:\n    err = fmt.Errorf(\"wrong content type\")\n```\n\nThe fix is simply to add the same `default` case to `HTTPUEContextTransfer`.\n\n## PoC\n\nWith a free5GC deployment running, send a POST request to the UE context transfer endpoint using any unsupported `Content-Type` (e.g. `text/plain`):\n\n```bash\ncurl -s -X POST \"http://\u003cAMF_IP\u003e/namf-comm/v1/ue-contexts/\u003cueContextId\u003e/transfer\" \\\\\n  -H \"Content-Type: text/plain\" \\\\\n  -d \u0027{\"test\":\"data\"}\u0027 \\\\\n  -i\n```\n\n**Expected (correct) behavior:** `400 Bad Request` from the SBI layer, rejecting the request due to unsupported Content-Type \u2014 consistent with `HTTPCreateUEContext`.\n\n**Actual (observed) behavior:** The SBI-layer error check is bypassed and the processor is reached with an empty request object, returning:\n\n```\nHTTP/1.1 400 Bad Request\n{\"status\": 400, \"cause\": \"MANDATORY_IE_MISSING\"}\n```\n\nThe `MANDATORY_IE_MISSING` cause originates from the processor\u0027s internal validation, not from the SBI handler \u2014 confirming the processor was called with an uninitialized struct.\n\n## Impact\n\nThe endpoint is an inter-NF SBI API used during AMF-to-AMF UE context handover. It is not directly reachable from external UEs and requires access to the internal 5GC SBI network. The processor\u0027s secondary mandatory field validation prevents any unintended state modification, so there is no direct exploitability. However, the SBI handler layer is the intended first line of defense \u2014 relying on the processor to compensate for a missing input check increases fragility and violates defense in depth. Any future change to the processor\u0027s validation logic could inadvertently expose the system to processing completely empty request objects.",
  "id": "GHSA-r99v-75p9-xqm5",
  "modified": "2026-04-27T16:34:26Z",
  "published": "2026-04-22T19:54:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-r99v-75p9-xqm5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41136"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/amf/releases/tag/v1.4.3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/free5gc/free5gc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "free5GC AMF: Missing default case in Content-Type switch in HTTPUEContextTransfer"
}

GHSA-RJ8Q-PRQP-JWFG

Vulnerability from github – Published: 2024-01-09 18:30 – Updated: 2026-05-12 12:31
VLAI
Details

Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions.

Impact summary: If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences.

The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs restores the contents of vector registers in a different order than they are saved. Thus the contents of some of these vector registers are corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions.

The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service.

The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3. If this cipher is enabled on the server a malicious client can influence whether this AEAD cipher is used. This implies that TLS server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-09T17:15:12Z",
    "severity": "MODERATE"
  },
  "details": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.",
  "id": "GHSA-rj8q-prqp-jwfg",
  "modified": "2026-05-12T12:31:34Z",
  "published": "2024-01-09T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/5b139f95c9a47a55a0c54100f3837b1eee942b04"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/f3fc5808fe9ff74042d639839610d03b8fdcc015"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-331112.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-769027.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-915275.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240216-0009"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240426-0008"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240426-0013"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240503-0011"
    },
    {
      "type": "WEB",
      "url": "https://www.openssl.org/news/secadv/20240109.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/01/09/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/03/11/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RXMX-G7HR-8MX4

Vulnerability from github – Published: 2026-04-07 18:15 – Updated: 2026-05-07 16:44
VLAI
Summary
OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders
Details

Summary

Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates.

Impact

Cross-conversation or cross-sender collisions could cause silent message suppression and break bot workflows. This was an availability issue in webhook event processing.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.4.1
  • Patched versions: >= 2026.4.2
  • Latest published npm version: 2026.4.1

Fix Commit(s)

  • ef7c553dd16ee579f1d1a363f5881a99726c1412 — scope Zalo webhook replay dedupe across the missing event dimensions

Release Process Note

The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live.

Thanks @D0ub1e-D for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.4.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41354"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-349",
      "CWE-440"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-07T18:15:59Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nBefore OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates.\n\n## Impact\n\nCross-conversation or cross-sender collisions could cause silent message suppression and break bot workflows. This was an availability issue in webhook event processing.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.4.1`\n- Patched versions: `\u003e= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `ef7c553dd16ee579f1d1a363f5881a99726c1412` \u2014 scope Zalo webhook replay dedupe across the missing event dimensions\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nThanks @D0ub1e-D for reporting.",
  "id": "GHSA-rxmx-g7hr-8mx4",
  "modified": "2026-05-07T16:44:15Z",
  "published": "2026-04-07T18:15:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rxmx-g7hr-8mx4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41354"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/ef7c553dd16ee579f1d1a363f5881a99726c1412"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-insufficient-scope-in-zalo-webhook-replay-dedupe-keys"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders"
}

GHSA-VJ87-7W3C-GHMP

Vulnerability from github – Published: 2025-05-13 12:31 – Updated: 2025-05-13 12:31
VLAI
Details

A vulnerability has been identified in APOGEE PXC+TALON TC Series (BACnet) (All versions). Affected devices start sending unsolicited BACnet broadcast messages after processing a specific BACnet createObject request. This could allow an attacker residing in the same BACnet network to send a specially crafted message that results in a partial denial of service condition of the targeted device, and potentially reduce the availability of BACnet network. A power cycle is required to restore the device's normal operation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-40555"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-13T10:15:25Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in APOGEE PXC+TALON TC Series (BACnet) (All versions). Affected devices start sending unsolicited BACnet broadcast messages after processing a specific BACnet createObject request. This could allow an attacker residing in the same BACnet network to send a specially crafted message that results in a partial denial of service condition of the targeted device, and potentially reduce the availability of BACnet network. A power cycle is required to restore the device\u0027s normal operation.",
  "id": "GHSA-vj87-7w3c-ghmp",
  "modified": "2025-05-13T12:31:36Z",
  "published": "2025-05-13T12:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40555"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-718393.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-WHX8-2789-8W4W

Vulnerability from github – Published: 2025-04-20 00:31 – Updated: 2025-11-03 21:33
VLAI
Details

cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {"a": true, "b": [ null,9999999999999999999999999999999999999999999999912345678901234567]}.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26819"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-19T22:15:14Z",
    "severity": "LOW"
  },
  "details": "cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {\"a\": true, \"b\": [ null,9999999999999999999999999999999999999999999999912345678901234567]}.",
  "id": "GHSA-whx8-2789-8w4w",
  "modified": "2025-11-03T21:33:41Z",
  "published": "2025-04-20T00:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26819"
    },
    {
      "type": "WEB",
      "url": "https://github.com/boofish/json_bugs/tree/main/cjson"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00014.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X5W7-GCH7-XJF6

Vulnerability from github – Published: 2025-10-30 21:30 – Updated: 2025-10-30 21:30
VLAI
Details

In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication (2FA) flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend does not properly validate the OTP or backup code when the API endpoint '/api/auth/2fa/disable' is directly accessed. This flaw can be exploited by authenticated users to weaken the security of their own accounts, although it does not lead to full account compromise.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8850"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-30T20:15:39Z",
    "severity": "LOW"
  },
  "details": "In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication (2FA) flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend does not properly validate the OTP or backup code when the API endpoint \u0027/api/auth/2fa/disable\u0027 is directly accessed. This flaw can be exploited by authenticated users to weaken the security of their own accounts, although it does not lead to full account compromise.",
  "id": "GHSA-x5w7-gch7-xjf6",
  "modified": "2025-10-30T21:30:46Z",
  "published": "2025-10-30T21:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8850"
    },
    {
      "type": "WEB",
      "url": "https://github.com/danny-avila/librechat/commit/7e4c8a5d0d2dbe5bf8fd272ff6acafb27d24744f"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/8e615709-f4de-41e2-b194-f0d91ed7c75e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XFCV-GP55-3WPF

Vulnerability from github – Published: 2026-05-20 12:30 – Updated: 2026-06-30 03:36
VLAI
Details

NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the jostle logic that could defeat its purpose and degrade resolution performance. Retransmits of the same query could renew the age of slow running queries and not allow the jostle logic to see them as aged and potential targets for replacement with new queries. An adversary who can query a vulnerable Unbound and who can control a domain name server that replies slowly and/or maliciously to Unbound's queries can exploit the vulnerability and degrade the resolution performance of Unbound. When Unbound's 'num-queries-per-thread' reaches its limit, the jostle logic kicks in. When a new query comes in, half of the available queries that are also slow to resolve are candidates for replacement. The vulnerability then happens because duplicate queries that need resolution would skew the aging result by using the timestamp of the latest duplicate query instead of the original one that started the resolution effort. Cache and local data response performance remains unaffected. Coordinated attacks could raise this to a denial of resolution service. Unbound 1.25.1 contains a patch with a fix to attach an initial, non-updatable start time for incoming queries that allow the jostle logic to work as intended.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-42534"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440",
      "CWE-911"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-20T10:16:27Z",
    "severity": "MODERATE"
  },
  "details": "NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the jostle logic that could defeat its purpose and degrade resolution performance. Retransmits of the same query could renew the age of slow running queries and not allow the jostle logic to see them as aged and potential targets for replacement with new queries. An adversary who can query a vulnerable Unbound and who can control a domain name server that replies slowly and/or maliciously to Unbound\u0027s queries can exploit the vulnerability and degrade the resolution performance of Unbound. When Unbound\u0027s \u0027num-queries-per-thread\u0027 reaches its limit, the jostle logic kicks in. When a new query comes in, half of the available queries that are also slow to resolve are candidates for replacement. The vulnerability then happens because duplicate queries that need resolution would skew the aging result by using the timestamp of the latest duplicate query instead of the original one that started the resolution effort. Cache and local data response performance remains unaffected. Coordinated attacks could raise this to a denial of resolution service. Unbound 1.25.1 contains a patch with a fix to attach an initial, non-updatable start time for incoming queries that allow the jostle logic to work as intended.",
  "id": "GHSA-xfcv-gp55-3wpf",
  "modified": "2026-06-30T03:36:45Z",
  "published": "2026-05-20T12:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42534"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-42534"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480131"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42534.json"
    },
    {
      "type": "WEB",
      "url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42534.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XMJ6-5Q7J-J6GG

Vulnerability from github – Published: 2022-10-25 19:00 – Updated: 2025-05-07 15:31
VLAI
Details

A flaw was found in the KVM's AMD nested virtualization (SVM). A malicious L1 guest could purposely fail to intercept the shutdown of a cooperative nested guest (L2), possibly leading to a page fault and kernel panic in the host (L0).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3344"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-25T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in the KVM\u0027s AMD nested virtualization (SVM). A malicious L1 guest could purposely fail to intercept the shutdown of a cooperative nested guest (L2), possibly leading to a page fault and kernel panic in the host (L0).",
  "id": "GHSA-xmj6-5q7j-j6gg",
  "modified": "2025-05-07T15:31:14Z",
  "published": "2022-10-25T19:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3344"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2130278"
    },
    {
      "type": "WEB",
      "url": "https://lore.kernel.org/lkml/20221020093055.224317-5-mlevitsk%40redhat.com/T"
    },
    {
      "type": "WEB",
      "url": "https://lore.kernel.org/lkml/20221020093055.224317-5-mlevitsk@redhat.com/T"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XPM6-XP6J-7W29

Vulnerability from github – Published: 2026-05-29 15:30 – Updated: 2026-05-29 15:30
VLAI
Details

Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle's anti-theft shutdown by forcing the Wireless Control Module (WCM) into the CAN bus-off state. Using a well-known CAN error-frame injection technique against a periodic WCM transmission, the attacker drives the WCM CAN controller's transmit error counter past the bus-off threshold, after which the WCM stops transmitting all messages, including the shutdown command. Peer ECUs do not interpret WCM silence as a security event and continue normal operation, allowing the motorcycle to be operated despite the immobilizer never having been unlocked. Specific protocol details have been withheld pending vendor remediation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-49316"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-29T14:16:32Z",
    "severity": "MODERATE"
  },
  "details": "Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle\u0027s anti-theft shutdown by forcing the Wireless Control Module (WCM) into the CAN bus-off state. Using a well-known CAN error-frame injection technique against a periodic WCM transmission, the attacker drives the WCM CAN controller\u0027s transmit error counter past the bus-off threshold, after which the WCM stops transmitting all messages, including the shutdown command. Peer ECUs do not interpret WCM silence as a security event and continue normal operation, allowing the motorcycle to be operated despite the immobilizer never having been unlocked. Specific protocol details have been withheld pending vendor remediation.",
  "id": "GHSA-xpm6-xp6j-7w29",
  "modified": "2026-05-29T15:30:35Z",
  "published": "2026-05-29T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49316"
    },
    {
      "type": "WEB",
      "url": "https://cwe.mitre.org/data/definitions/440.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.