CWE-772
AllowedMissing Release of Resource after Effective Lifetime
Abstraction: Base · Status: Draft
The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
567 vulnerabilities reference this CWE, most recent first.
CVE-2026-9156 (GCVE-0-2026-9156)
Vulnerability from cvelistv5 – Published: 2026-05-27 01:19 – Updated: 2026-05-27 13:50- CWE-772 - Missing Release of Resource after Effective Lifetime
| Vendor | Product | Version | |
|---|---|---|---|
| Tanium | Tanium Server |
Affected:
7.6.4.0 , < 7.6.4.2190
(custom)
Affected: 7.7.3.0 , < 7.7.3.8274 (custom) Affected: 7.8.2.0 , < 7.8.2.1176 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9156",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T13:50:31.230808Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T13:50:44.570Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Tanium Server",
"vendor": "Tanium",
"versions": [
{
"lessThan": "7.6.4.2190",
"status": "affected",
"version": "7.6.4.0",
"versionType": "custom"
},
{
"lessThan": "7.7.3.8274",
"status": "affected",
"version": "7.7.3.0",
"versionType": "custom"
},
{
"lessThan": "7.8.2.1176",
"status": "affected",
"version": "7.8.2.0",
"versionType": "custom"
}
]
}
],
"dateAssigned": "2026-05-21T01:21:37.531Z",
"datePublic": "2026-05-27T01:19:03.729Z",
"descriptions": [
{
"lang": "en",
"value": "Tanium addressed a denial of service vulnerability in Tanium Server."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T01:19:26.286Z",
"orgId": "3938794e-25f5-4123-a1ba-5cbd7f104512",
"shortName": "Tanium"
},
"references": [
{
"name": "TAN-2026-013",
"url": "https://security.tanium.com/TAN-2026-013"
}
],
"title": "Tanium addressed a denial of service vulnerability in Tanium Server."
}
},
"cveMetadata": {
"assignerOrgId": "3938794e-25f5-4123-a1ba-5cbd7f104512",
"assignerShortName": "Tanium",
"cveId": "CVE-2026-9156",
"datePublished": "2026-05-27T01:19:26.286Z",
"dateReserved": "2026-05-21T01:21:38.154Z",
"dateUpdated": "2026-05-27T13:50:44.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3104 (GCVE-0-2026-3104)
Vulnerability from cvelistv5 – Published: 2026-03-25 13:29 – Updated: 2026-07-15 01:09- CWE-772 - Missing Release of Resource after Effective Lifetime
| URL | Tags |
|---|---|
| https://kb.isc.org/docs/cve-2026-3104 | vendor-advisory |
| https://downloads.isc.org/isc/bind9/9.20.21 | patch |
| https://downloads.isc.org/isc/bind9/9.21.20 | patch |
| https://access.redhat.com/security/cve/CVE-2026-3104 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2451310 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:6935 | vendor-advisoryx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| ISC | BIND 9 |
Affected:
9.20.0 , ≤ 9.20.20
(custom)
Affected: 9.21.0 , ≤ 9.21.19 (custom) Affected: 9.20.9-S1 , ≤ 9.20.20-S1 (custom) Unaffected: 9.18.0 , ≤ 9.18.46 (custom) Unaffected: 9.18.11-S1 , ≤ 9.18.46-S1 (custom) |
|
| Red Hat | Red Hat Hardened Images |
Unaffected:
9.18.48-1.hum1 , < *
(rpm)
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 6 |
cpe:/o:redhat:enterprise_linux:6 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3104",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T14:56:20.362810Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T14:56:26.373Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"packageName": "bind-main",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "9.18.48-1.hum1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "bind",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"packageName": "bind",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "bind",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "bind",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "bind9.16",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "bind",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "bind9.18",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "dhcp",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unaffected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"datePublic": "2026-03-25T13:29:19.494Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the BIND resolver. A remote attacker can exploit this vulnerability by querying a specially crafted domain, which causes a memory leak. This memory leak can lead to a Denial of Service (DoS) condition, making the BIND resolver unavailable to legitimate users."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T01:09:38.243Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-3104"
},
{
"name": "RHBZ#2451310",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451310"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-3104.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:6935"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:6935: Red Hat Hardened Images"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-25T14:02:15.067Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-03-25T13:29:19.494Z",
"value": "Made public."
}
],
"title": "bind: BIND: Denial of Service via specially crafted domain query causing a memory leak",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, restrict access to the BIND resolver to trusted clients only. This can be achieved by configuring firewall rules to limit inbound connections to port 53 (UDP/TCP) from known, authorized IP addresses or networks. Alternatively, configure BIND to listen only on specific trusted interfaces or localhost.\n\nExample using firewalld:\n`firewall-cmd --permanent --add-rich-rule=\u0027rule family=\"ipv4\" source address=\"\u003cTRUSTED_IP_OR_NETWORK\u003e\" port port=53 protocol=\"udp\" accept\u0027`\n`firewall-cmd --permanent --add-rich-rule=\u0027rule family=\"ipv4\" source address=\"\u003cTRUSTED_IP_OR_NETWORK\u003e\" port port=53 protocol=\"tcp\" accept\u0027`\n`firewall-cmd --reload`\n\nAfter applying changes, a restart of the BIND service may be required for the new configuration to take full effect. This may temporarily interrupt DNS resolution services."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BIND 9",
"vendor": "ISC",
"versions": [
{
"lessThanOrEqual": "9.20.20",
"status": "affected",
"version": "9.20.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.21.19",
"status": "affected",
"version": "9.21.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.20.20-S1",
"status": "affected",
"version": "9.20.9-S1",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.18.46",
"status": "unaffected",
"version": "9.18.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.18.46-S1",
"status": "unaffected",
"version": "9.18.11-S1",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
"versionEndIncluding": "9.20.20",
"versionStartIncluding": "9.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
"versionEndIncluding": "9.21.19",
"versionStartIncluding": "9.21.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
"versionEndIncluding": "9.20.20-S1",
"versionStartIncluding": "9.20.9-S1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
"versionEndIncluding": "9.18.46",
"versionStartIncluding": "9.18.0",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
"versionEndIncluding": "9.18.46-S1",
"versionStartIncluding": "9.18.11-S1",
"vulnerable": false
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ISC would like to thank Vitaly Simonovich for bringing this vulnerability to our attention."
}
],
"datePublic": "2026-03-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain.\nThis issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1.\nBIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected."
}
],
"exploits": [
{
"lang": "en",
"value": "We are not aware of any active exploits."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "If a BIND resolver is asked to query a specially crafted domain, memory will not be recovered by `named`. This can cause unbounded growth of Resident Set Size (RSS) memory, which may lead to an out-of-memory condition. Additionally, `named` will exit with an assertion failure if a shutdown or reload is attempted."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T13:29:19.494Z",
"orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
"shortName": "isc"
},
"references": [
{
"name": "CVE-2026-3104",
"tags": [
"vendor-advisory"
],
"url": "https://kb.isc.org/docs/cve-2026-3104"
},
{
"tags": [
"patch"
],
"url": "https://downloads.isc.org/isc/bind9/9.20.21"
},
{
"tags": [
"patch"
],
"url": "https://downloads.isc.org/isc/bind9/9.21.20"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.20.21, 9.21.20, or 9.20.21-S1."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Memory leak in code preparing DNSSEC proofs of non-existence",
"workarounds": [
{
"lang": "en",
"value": "No workarounds known."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
"assignerShortName": "isc",
"cveId": "CVE-2026-3104",
"datePublished": "2026-03-25T13:29:19.494Z",
"dateReserved": "2026-02-24T10:04:57.917Z",
"dateUpdated": "2026-07-15T01:09:38.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2359 (GCVE-0-2026-2359)
Vulnerability from cvelistv5 – Published: 2026-02-27 15:42 – Updated: 2026-07-15 01:18| URL | Tags |
|---|---|
| https://github.com/expressjs/multer/security/advi… | |
| https://www.cve.org/CVERecord?id=CVE-2026-2359 | |
| https://github.com/expressjs/multer/commit/cccf0f… | |
| https://cna.openjsf.org/security-advisories.html | |
| https://access.redhat.com/security/cve/CVE-2026-2359 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2443350 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://access.redhat.com/errata/RHSA-2026:6174 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:6802 | vendor-advisoryx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| expressjs | multer |
Affected:
0.0.0 , < 2.1.0
(semver)
|
|
| Red Hat | Red Hat Developer Hub 1.8 |
Unaffected:
1774545605 , < *
(rpm)
cpe:/a:redhat:rhdh:1.8::el9 |
|
| Red Hat | Red Hat Developer Hub 1.9 |
Unaffected:
1775140647 , < *
(rpm)
cpe:/a:redhat:rhdh:1.9::el9 |
|
| Red Hat | Logging Subsystem for Red Hat OpenShift |
cpe:/a:redhat:logging:5 |
|
| Red Hat | Logging Subsystem for Red Hat OpenShift |
cpe:/a:redhat:logging:5 cpe:/a:redhat:logging:6 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat Trusted Profile Analyzer |
cpe:/a:redhat:trusted_profile_analyzer:2 |
|
| Red Hat | Self-service automation portal 2 |
cpe:/a:redhat:ansible_portal:2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2359",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T17:13:07.689391Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T17:13:17.930Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:rhdh:1.8::el9"
],
"defaultStatus": "affected",
"packageName": "rhdh/rhdh-hub-rhel9",
"product": "Red Hat Developer Hub 1.8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1774545605",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:rhdh:1.9::el9"
],
"defaultStatus": "affected",
"packageName": "rhdh/rhdh-hub-rhel9",
"product": "Red Hat Developer Hub 1.9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1775140647",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:logging:5"
],
"defaultStatus": "unaffected",
"packageName": "openshift-logging/cluster-logging-operator-bundle",
"product": "Logging Subsystem for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:logging:5"
],
"defaultStatus": "unaffected",
"packageName": "openshift-logging/cluster-logging-rhel9-operator",
"product": "Logging Subsystem for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:logging:5"
],
"defaultStatus": "unaffected",
"packageName": "openshift-logging/eventrouter-rhel9",
"product": "Logging Subsystem for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:logging:5"
],
"defaultStatus": "unaffected",
"packageName": "openshift-logging/fluentd-rhel9",
"product": "Logging Subsystem for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:logging:5"
],
"defaultStatus": "unaffected",
"packageName": "openshift-logging/log-file-metric-exporter-rhel9",
"product": "Logging Subsystem for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:logging:5"
],
"defaultStatus": "unaffected",
"packageName": "openshift-logging/logging-view-plugin-rhel9",
"product": "Logging Subsystem for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:logging:5",
"cpe:/a:redhat:logging:6"
],
"defaultStatus": "unaffected",
"packageName": "openshift-logging/vector-rhel9",
"product": "Logging Subsystem for Red Hat OpenShift",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "fido-device-onboard",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "firefox",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "thunderbird",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "firefox",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "firefox",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "thunderbird",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "firefox",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "thunderbird",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:trusted_profile_analyzer:2"
],
"defaultStatus": "unaffected",
"packageName": "rhtpa/rhtpa-trustification-service-rhel9",
"product": "Red Hat Trusted Profile Analyzer",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ansible_portal:2"
],
"defaultStatus": "affected",
"packageName": "ansible-automation-platform/automation-portal",
"product": "Self-service automation portal 2",
"vendor": "Red Hat"
}
],
"datePublic": "2026-02-27T15:42:08.088Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Multer, a Node.js middleware for handling `multipart/form-data`. A remote attacker can exploit this vulnerability by intentionally dropping a connection during a file upload. This can lead to a Denial of Service (DoS) due to resource exhaustion on the affected system."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T01:18:16.179Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-2359"
},
{
"name": "RHBZ#2443350",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443350"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2359.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:6174"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:6802"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:6174: Red Hat Developer Hub 1.8"
},
{
"lang": "en",
"value": "RHSA-2026:6802: Red Hat Developer Hub 1.9"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-27T16:01:27.340Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-02-27T15:42:08.088Z",
"value": "Made public."
}
],
"title": "multer: Multer: Denial of Service via dropped file upload connections",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:npm/multer",
"product": "multer",
"vendor": "expressjs",
"versions": [
{
"lessThan": "2.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available."
}
],
"value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T15:42:08.088Z",
"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"shortName": "openjs"
},
"references": [
{
"url": "https://github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc"
},
{
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2359"
},
{
"url": "https://github.com/expressjs/multer/commit/cccf0fe0e64150c4f42ccf6654165c0d66b9adab"
},
{
"url": "https://cna.openjsf.org/security-advisories.html"
}
],
"title": "Multer vulnerable to Denial of Service via resource exhaustion",
"x_generator": {
"engine": "cve-kit 0.1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"assignerShortName": "openjs",
"cveId": "CVE-2026-2359",
"datePublished": "2026-02-27T15:42:08.088Z",
"dateReserved": "2026-02-11T17:10:23.973Z",
"dateUpdated": "2026-07-15T01:18:16.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2261 (GCVE-0-2026-2261)
Vulnerability from cvelistv5 – Published: 2026-03-09 12:10 – Updated: 2026-03-11 15:02- CWE-772 - Missing Release of Resource after Effective Lifetime
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-2261",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T15:02:47.286466Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T15:02:53.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"blocklistd"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p3",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
}
]
}
],
"datePublic": "2026-02-10T19:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives.\n\nOnce a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null pointer and crashes before it is able to exec the helper. At this point, blocklistd still records adverse events but is unable to block new addresses or unblock addresses whose database entries have expired.\n\nOnce a second, much higher number of leaked sockets is reached, blocklistd becomes unable to receive new adverse event reports.\n\nAn attacker may take advantage of this by triggering a large number of adverse events from sacrificial IP addresses to effectively disable blocklistd before launching an attack.\n\nEven in the absence of attacks or probes by would-be attackers, adverse events will occur regularly in the course of normal operations, and blocklistd will gradually run out file descriptors and become ineffective.\n\nThe accumulation of open sockets may have knock-on effects on other parts of the system, resulting in a general slowdown until blocklistd is restarted."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772: Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T12:10:08.194Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:03.blocklistd.asc"
}
],
"title": "blocklistd(8) socket leak",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-2261",
"datePublished": "2026-03-09T12:10:08.194Z",
"dateReserved": "2026-02-09T17:48:49.244Z",
"dateUpdated": "2026-03-11T15:02:53.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65947 (GCVE-0-2025-65947)
Vulnerability from cvelistv5 – Published: 2025-11-21 22:15 – Updated: 2025-11-24 14:56| URL | Tags |
|---|---|
| https://github.com/jzeuzs/thread-amount/security/… | x_refsource_CONFIRM |
| https://github.com/jzeuzs/thread-amount/pull/29 | x_refsource_MISC |
| https://github.com/jzeuzs/thread-amount/commit/28… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| jzeuzs | thread-amount |
Affected:
< 0.2.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-65947",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-24T14:56:11.090976Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T14:56:27.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "thread-amount",
"vendor": "jzeuzs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "thread-amount is a tool that gets the amount of threads in the current process. Prior to version 0.2.2, there are resource leaks when querying thread counts on Windows and Apple platforms. In Windows platforms, the thread_amount function calls CreateToolhelp32Snapshot but fails to close the returned HANDLE using CloseHandle. Repeated calls to this function will cause the handle count of the process to grow indefinitely, eventually leading to system instability or process termination when the handle limit is reached. In Apple platforms, the thread_amount function calls task_threads (via Mach kernel APIs) which allocates memory for the thread list. The function fails to deallocate this memory using vm_deallocate. Repeated calls will result in a steady memory leak, eventually causing the process to be killed by the OOM (Out of Memory) killer. This issue has been patched in version 0.2.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772: Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T22:15:30.181Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jzeuzs/thread-amount/security/advisories/GHSA-jf9p-2fv9-2jp2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jzeuzs/thread-amount/security/advisories/GHSA-jf9p-2fv9-2jp2"
},
{
"name": "https://github.com/jzeuzs/thread-amount/pull/29",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jzeuzs/thread-amount/pull/29"
},
{
"name": "https://github.com/jzeuzs/thread-amount/commit/28860d4a38286609cb884c13b5b7941edc2390e5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jzeuzs/thread-amount/commit/28860d4a38286609cb884c13b5b7941edc2390e5"
}
],
"source": {
"advisory": "GHSA-jf9p-2fv9-2jp2",
"discovery": "UNKNOWN"
},
"title": "thread-amount is Vulnerable to Resource Exhaustion (Memory and Handle Leaks) on Windows and macOS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65947",
"datePublished": "2025-11-21T22:15:30.181Z",
"dateReserved": "2025-11-18T16:14:56.691Z",
"dateUpdated": "2025-11-24T14:56:27.822Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64734 (GCVE-0-2025-64734)
Vulnerability from cvelistv5 – Published: 2025-11-18 03:26 – Updated: 2025-11-19 16:49- CWE-772 - Missing Release of Resource after Effective Lifetime
| Vendor | Product | Version | |
|---|---|---|---|
| Gallagher | T21 Reader |
Affected:
0 , ≤ 9.00
(custom)
Affected: 9.30 , < vCR9.30.251028a (custom) Affected: 9.20 , < vCR9.20.251028a (custom) Affected: 9.10 , < vCR9.10.251028a (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64734",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T15:03:05.849954Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T16:49:27.607Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "T21 Reader",
"vendor": "Gallagher",
"versions": [
{
"lessThanOrEqual": "9.00",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vCR9.30.251028a",
"status": "affected",
"version": "9.30",
"versionType": "custom"
},
{
"lessThan": "vCR9.20.251028a",
"status": "affected",
"version": "9.20",
"versionType": "custom"
},
{
"lessThan": "vCR9.10.251028a",
"status": "affected",
"version": "9.10",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMissing Release of Resource after Effective Lifetime (CWE-772) in the T21 Reader allows an attacker with physical access to the Reader to perform a denial-of-service attack against that specific reader, preventing cardholders from badging for entry. \u003c/span\u003e\n\n\u003cp\u003eThis issue affects Command Centre Server: \n\n9.30 prior to vCR9.30.251028a (distributed in 9.30.2881 (MR3)), 9.20 prior to vCR9.20.251028a (distributed in 9.20.3265 (MR5)), 9.10 prior to vCR9.10.251028a (distributed in 9.10.4135 (MR8)),\u0026nbsp; all versions of 9.00 and prior.\n\n\u003c/p\u003e"
}
],
"value": "Missing Release of Resource after Effective Lifetime (CWE-772) in the T21 Reader allows an attacker with physical access to the Reader to perform a denial-of-service attack against that specific reader, preventing cardholders from badging for entry. \n\nThis issue affects Command Centre Server: \n\n9.30 prior to vCR9.30.251028a (distributed in 9.30.2881 (MR3)), 9.20 prior to vCR9.20.251028a (distributed in 9.20.3265 (MR5)), 9.10 prior to vCR9.10.251028a (distributed in 9.10.4135 (MR8)),\u00a0 all versions of 9.00 and prior."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "LOW",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T03:26:44.442Z",
"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"shortName": "Gallagher"
},
"references": [
{
"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-64734"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"assignerShortName": "Gallagher",
"cveId": "CVE-2025-64734",
"datePublished": "2025-11-18T03:26:44.442Z",
"dateReserved": "2025-11-11T04:00:46.427Z",
"dateUpdated": "2025-11-19T16:49:27.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62723 (GCVE-0-2025-62723)
Vulnerability from cvelistv5 – Published: 2025-10-24 20:16 – Updated: 2025-10-24 20:32- CWE-772 - Missing Release of Resource after Effective Lifetime
| URL | Tags |
|---|---|
| https://github.com/halfgaar/FlashMQ/security/advi… | x_refsource_CONFIRM |
| https://github.com/halfgaar/FlashMQ/issues/154 | x_refsource_MISC |
| https://github.com/halfgaar/FlashMQ/commit/e86c49… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-24T20:31:44.102351Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T20:32:00.596Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FlashMQ",
"vendor": "halfgaar",
"versions": [
{
"status": "affected",
"version": "\u003c 1.23.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.23.2, any authenticated user can create sessions and have them collect QoS messages. When not sent to a client, these are then not released upon (eventual) session expiration. Version 1.23.2 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772: Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T20:16:34.047Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/halfgaar/FlashMQ/security/advisories/GHSA-7mhp-22q4-r6vv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/halfgaar/FlashMQ/security/advisories/GHSA-7mhp-22q4-r6vv"
},
{
"name": "https://github.com/halfgaar/FlashMQ/issues/154",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/halfgaar/FlashMQ/issues/154"
},
{
"name": "https://github.com/halfgaar/FlashMQ/commit/e86c49360ef4387440c97f591770cdb9284b4ee9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/halfgaar/FlashMQ/commit/e86c49360ef4387440c97f591770cdb9284b4ee9"
}
],
"source": {
"advisory": "GHSA-7mhp-22q4-r6vv",
"discovery": "UNKNOWN"
},
"title": "FlashMQ does not release memory of queued QoS messages"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62723",
"datePublished": "2025-10-24T20:16:34.047Z",
"dateReserved": "2025-10-20T19:41:22.741Z",
"dateUpdated": "2025-10-24T20:32:00.596Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61670 (GCVE-0-2025-61670)
Vulnerability from cvelistv5 – Published: 2025-10-07 18:49 – Updated: 2025-10-07 19:16- CWE-772 - Missing Release of Resource after Effective Lifetime
| URL | Tags |
|---|---|
| https://github.com/bytecodealliance/wasmtime/secu… | x_refsource_CONFIRM |
| https://github.com/bytecodealliance/wasmtime/comm… | x_refsource_MISC |
| https://github.com/bytecodealliance/wasmtime/rele… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| bytecodealliance | wasmtime |
Affected:
>= 37.0.0, < 37.0.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61670",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T19:13:46.389514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T19:16:40.499Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wasmtime",
"vendor": "bytecodealliance",
"versions": [
{
"status": "affected",
"version": "\u003e= 37.0.0, \u003c 37.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wasmtime is a runtime for WebAssembly. Wasmtime 37.0.0 and 37.0.1 have memory leaks in the C/C++ API when using bindings for the `anyref` or `externref` WebAssembly values. This is caused by a regression introduced during the development of 37.0.0 and all prior versions of Wasmtime are unaffected. If `anyref` or `externref` is not used in the C/C++ API then embeddings are also unaffected by the leaky behavior. The `wasmtime` Rust crate is unaffected by this leak.\n\nDevelopment of Wasmtime 37.0.0 included a refactoring in Rust of changing the old `ManuallyRooted\u003cT\u003e` type to a new `OwnedRooted\u003cT\u003e` type. This change was integrated into Wasmtime\u0027s C API but left the C API in a state which had memory leaks. Additionally the new ownership semantics around this type were not reflected into the C++ API, making it leak-prone. A short version of the change is that previously `ManuallyRooted\u003cT\u003e`, as the name implies, required manual calls to an \"unroot\" operation. If this was forgotten then the memory was still cleaned up when the `wasmtime_store_t` itself was destroyed eventually. Documentation of when to \"unroot\" was sparse and there were already situations prior to 37.0.0 where memory would be leaked until the store was destroyed anyway. All memory, though, was always bound by the store, and destroying the store would guarantee that there were no memory leaks.\n\nIn migrating to `OwnedRooted\u003cT\u003e` the usage of the type in Rust changed. A manual \"unroot\" operation is no longer required and it happens naturally as a destructor of the `OwnedRooted\u003cT\u003e` type in Rust itself. These new resource ownership semantics were not fully integrated into the preexisting semantics of the C/C++ APIs in Wasmtime. A crucial distinction of `OwnedRooted\u003cT\u003e` vs `ManuallyRooted\u003cT\u003e` is that the `OwnedRooted\u003cT\u003e` type allocates host memory outside of the store. This means that if an `OwnedRooted\u003cT\u003e` is leaked then destroying a store does not release this memory and it\u0027s a permanent memory leak on the host.\n\nThis led to a few distinct, but related, issues arising: A typo in the `wasmtime_val_unroot` function in the C API meant that it did not actually unroot anything. This meant that even if embedders faithfully call the function then memory will be leaked. If a host-defined function returned a `wasmtime_{externref,anyref}_t` value then the value was never unrooted. The C/C++ API no longer has access to the value and the Rust implementation did not unroot. This meant that any values returned this way were never unrooted. The goal of the C++ API of Wasmtime is to encode automatic memory management in the type system, but the C++ API was not updated when `OwnedRooted\u003cT\u003e` was added. This meant that idiomatic usage of the C++ API would leak memory due to a lack of destructors on values.\n\nThese issues have all been fixed in a 37.0.2 release of Wasmtime. The implementation of the C and C++ APIs have been updated accordingly and respectively to account for the changes of ownership here. For example `wasmtime_val_unroot` has been fixed to unroot, the Rust-side implementation of calling an embedder-defined function will unroot return values, and the C++ API now has destructors on the `ExternRef`, `AnyRef`, and `Val` types. These changes have been made to the 37.0.x release branch in a non-API-breaking fashion. Changes to the 38.0.0 release branch (and `main` in the Wasmtime repository) include minor API updates to better accommodate the API semantic changes. The only known workaround at this time is to avoid using `externref` and `anyref` in the C/C++ API of Wasmtime. If avoiding those types is not possible then it\u0027s required for users to update to mitigate the leak issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 1,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772: Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T18:49:53.869Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vvp9-h8p2-xwfc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vvp9-h8p2-xwfc"
},
{
"name": "https://github.com/bytecodealliance/wasmtime/commit/adff9d9d0f09569203709d5687e5a7dc8e1ad0a3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bytecodealliance/wasmtime/commit/adff9d9d0f09569203709d5687e5a7dc8e1ad0a3"
},
{
"name": "https://github.com/bytecodealliance/wasmtime/releases/tag/v37.0.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bytecodealliance/wasmtime/releases/tag/v37.0.2"
}
],
"source": {
"advisory": "GHSA-vvp9-h8p2-xwfc",
"discovery": "UNKNOWN"
},
"title": "Wasmtime has memory leak in C API with `externref` and `anyref` types"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61670",
"datePublished": "2025-10-07T18:49:53.869Z",
"dateReserved": "2025-09-29T20:25:16.180Z",
"dateUpdated": "2025-10-07T19:16:40.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54983 (GCVE-0-2025-54983)
Vulnerability from cvelistv5 – Published: 2025-11-12 03:07 – Updated: 2025-11-12 18:18- CWE-772 - Missing Release of Resource after Effective Lifetime
| Vendor | Product | Version | |
|---|---|---|---|
| Zscaler | Zscaler Client Connector |
Affected:
4.6 , < 4.6.0.216
(custom)
Affected: 4.7 , < 4.7.0.47 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54983",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T18:18:25.758917Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T18:18:36.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Zscaler Client Connector",
"vendor": "Zscaler",
"versions": [
{
"lessThan": "4.6.0.216",
"status": "affected",
"version": "4.6",
"versionType": "custom"
},
{
"lessThan": "4.7.0.47",
"status": "affected",
"version": "4.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "other",
"value": "DTCC Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A health check port on Zscaler Client Connector on Windows, versions 4.6 \u0026lt; 4.6.0.216 and 4.7 \u0026lt; 4.7.0.47, which under specific circumstances was not released after use, allowed traffic to potentially bypass ZCC forwarding controls.\n\n\u003cbr\u003e"
}
],
"value": "A health check port on Zscaler Client Connector on Windows, versions 4.6 \u003c 4.6.0.216 and 4.7 \u003c 4.7.0.47, which under specific circumstances was not released after use, allowed traffic to potentially bypass ZCC forwarding controls."
}
],
"impacts": [
{
"capecId": "CAPEC-554",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-554 Functionality Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T03:07:39.531Z",
"orgId": "73c6f63b-efac-410d-a0a9-569700f85a04",
"shortName": "Zscaler"
},
"references": [
{
"url": "https://help.zscaler.com/zscaler-client-connector/client-connector-app-release-summary-2025"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Health check port on ZCC allows tunnel bypass",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "73c6f63b-efac-410d-a0a9-569700f85a04",
"assignerShortName": "Zscaler",
"cveId": "CVE-2025-54983",
"datePublished": "2025-11-12T03:07:39.531Z",
"dateReserved": "2025-08-04T14:51:53.367Z",
"dateUpdated": "2025-11-12T18:18:36.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-44003 (GCVE-0-2025-44003)
Vulnerability from cvelistv5 – Published: 2025-07-10 03:09 – Updated: 2025-07-10 13:11- CWE-772 - Missing Release of Resource after Effective Lifetime
| Vendor | Product | Version | |
|---|---|---|---|
| Gallagher | T-Series Readers |
Affected:
0 , ≤ 8.90
(custom)
Affected: 9.20 , < vCR9.20.250213a (custom) Affected: 9.10 , < vCR9.10.250213a (custom) Affected: 9.00 , < vCR9.00.250619a (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-44003",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-10T13:11:06.416095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T13:11:13.511Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "T-Series Readers",
"vendor": "Gallagher",
"versions": [
{
"lessThanOrEqual": "8.90",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "vCR9.20.250213a",
"status": "affected",
"version": "9.20",
"versionType": "custom"
},
{
"lessThan": "vCR9.10.250213a",
"status": "affected",
"version": "9.10",
"versionType": "custom"
},
{
"lessThan": "vCR9.00.250619a",
"status": "affected",
"version": "9.00",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMissing Release of Resource after Effective Lifetime (CWE-772) in the Gallagher T-Series Reader allows an attacker with physical access to the reader to perform a limited denial of service when 125 kHz Card Technology is enabled.\u003c/span\u003e\n\n\u003cp\u003eThis issue affects T-Series Readers: \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e9.20 prior to vCR9.20.250213a (distributed in 9.20.1827 (MR2)), 9.10 prior to vCR9.10.250213a (distributed in 9.10.2692(MR5)), 9.00 prior to vCR9.00.250619a (distributed in \u0026nbsp;vEL9.00.3371 (MR7)), \u0026nbsp;all versions of 8.90 and prior. \u003c/span\u003e\n\n\u003c/p\u003e"
}
],
"value": "Missing Release of Resource after Effective Lifetime (CWE-772) in the Gallagher T-Series Reader allows an attacker with physical access to the reader to perform a limited denial of service when 125 kHz Card Technology is enabled.\n\nThis issue affects T-Series Readers: 9.20 prior to vCR9.20.250213a (distributed in 9.20.1827 (MR2)), 9.10 prior to vCR9.10.250213a (distributed in 9.10.2692(MR5)), 9.00 prior to vCR9.00.250619a (distributed in \u00a0vEL9.00.3371 (MR7)), \u00a0all versions of 8.90 and prior."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T03:09:43.640Z",
"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"shortName": "Gallagher"
},
"references": [
{
"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-44003"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"assignerShortName": "Gallagher",
"cveId": "CVE-2025-44003",
"datePublished": "2025-07-10T03:09:43.640Z",
"dateReserved": "2025-06-17T02:18:59.237Z",
"dateUpdated": "2025-07-10T13:11:13.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
Mitigation
It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free resources in a function. If you allocate resources that you intend to free upon completion of the function, you must be sure to free the resources at all exit points for that function including error conditions.
Mitigation MIT-47
Strategy: Resource Limitation
- Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems.
- When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users.
- Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).
CAPEC-469: HTTP DoS
An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.