Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0841
Vulnerability from certfr_avis - Published: 2026-07-07 - Updated: 2026-07-07
De multiples vulnérabilités ont été découvertes dans Microsoft Azure Linux. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | Azure Linux | azl3 dhcpcd 10.0.8-2 versions antérieures à 10.0.8-4 | ||
| Microsoft | Azure Linux | azl3 runc 1.3.3-2 versions antérieures à 1.3.6-1 | ||
| Microsoft | Azure Linux | azl3 util-linux 2.40.2-4 versions antérieures à 2.40.2-5 | ||
| Microsoft | Azure Linux | azl3 perl-Bytes-Random-Secure 0.29-21 versions antérieures à 0.29-22 | ||
| Microsoft | Azure Linux | azl3 libssh2 1.11.1-3 versions antérieures à 1.11.1-4 | ||
| Microsoft | Azure Linux | azl3 qemu 9.1.0-9 versions antérieures à 9.1.0-10 | ||
| Microsoft | Azure Linux | azl3 tmux 3.4-1 versions antérieures à 3.4-2 | ||
| Microsoft | Azure Linux | azl3 nmap 7.95-3 versions antérieures à 7.95-4 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "azl3 dhcpcd 10.0.8-2 versions ant\u00e9rieures \u00e0 10.0.8-4",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 runc 1.3.3-2 versions ant\u00e9rieures \u00e0 1.3.6-1",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 util-linux 2.40.2-4 versions ant\u00e9rieures \u00e0 2.40.2-5",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 perl-Bytes-Random-Secure 0.29-21 versions ant\u00e9rieures \u00e0 0.29-22",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 libssh2 1.11.1-3 versions ant\u00e9rieures \u00e0 1.11.1-4",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 qemu 9.1.0-9 versions ant\u00e9rieures \u00e0 9.1.0-10",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 tmux 3.4-1 versions ant\u00e9rieures \u00e0 3.4-2",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 nmap 7.95-3 versions ant\u00e9rieures \u00e0 7.95-4",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-13595",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-13595"
},
{
"name": "CVE-2025-15661",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15661"
},
{
"name": "CVE-2026-14258",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-14258"
},
{
"name": "CVE-2026-3196",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3196"
},
{
"name": "CVE-2026-11623",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-11623"
},
{
"name": "CVE-2026-41579",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41579"
},
{
"name": "CVE-2026-11625",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-11625"
},
{
"name": "CVE-2026-58058",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-58058"
},
{
"name": "CVE-2026-55199",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-55199"
}
],
"initial_release_date": "2026-07-07T00:00:00",
"last_revision_date": "2026-07-07T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0841",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-07-07T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Microsoft Azure Linux. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Microsoft Azure Linux",
"vendor_advisories": [
{
"published_at": "2026-07-01",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Azure Linux CVE-2026-11625",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11625"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Azure Linux CVE-2026-55199",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55199"
},
{
"published_at": "2026-07-01",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Azure Linux CVE-2026-13595",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-13595"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Azure Linux CVE-2026-3196",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-3196"
},
{
"published_at": "2026-07-02",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Azure Linux CVE-2026-41579",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41579"
},
{
"published_at": "2026-07-03",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Azure Linux CVE-2026-14258",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-14258"
},
{
"published_at": "2026-06-21",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Azure Linux CVE-2026-11623",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11623"
},
{
"published_at": "2026-06-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Azure Linux CVE-2026-58058",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58058"
},
{
"published_at": "2026-06-27",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft Azure Linux CVE-2025-15661",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-15661"
}
]
}
CVE-2025-15661 (GCVE-0-2025-15661)
Vulnerability from cvelistv5 – Published: 2026-06-18 20:18 – Updated: 2026-06-23 16:13 X_Open Source
VLAI
EPSS
Title
libssh2 - Heap Buffer Over-read via sftp_symlink() in sftp.c
Summary
libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/libssh2/libssh2/pull/1705 | issue-tracking |
| https://github.com/libssh2/libssh2/pull/1717 | issue-tracking |
| https://github.com/libssh2/libssh2/commit/2dae302… | patch |
| https://www.vulncheck.com/advisories/libssh2-heap… | third-party-advisory |
Impacted products
Date Public
2025-10-06 00:00
Credits
Joshua Rogers
Tristan Madani (@TristanInSec)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15661",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T18:07:05.411976Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T18:07:10.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "libssh2",
"repo": "https://github.com/libssh2/libssh2",
"vendor": "libssh2",
"versions": [
{
"lessThanOrEqual": "1.11.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "2dae3024897e1898d389835151f4e9606227721d",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joshua Rogers"
},
{
"lang": "en",
"type": "reporter",
"value": "Tristan Madani (@TristanInSec)"
}
],
"datePublic": "2025-10-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T16:13:21.698Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Researcher Pull Request",
"tags": [
"issue-tracking"
],
"url": "https://github.com/libssh2/libssh2/pull/1705"
},
{
"name": "Maintainer Pull Request",
"tags": [
"issue-tracking"
],
"url": "https://github.com/libssh2/libssh2/pull/1717"
},
{
"name": "Patch Commit",
"tags": [
"patch"
],
"url": "https://github.com/libssh2/libssh2/commit/2dae3024897e1898d389835151f4e9606227721d"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/libssh2-heap-buffer-over-read-via-sftp-symlink-in-sftp-c"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_open-source"
],
"title": "libssh2 - Heap Buffer Over-read via sftp_symlink() in sftp.c",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2025-15661",
"datePublished": "2026-06-18T20:18:29.475Z",
"dateReserved": "2026-06-18T20:12:38.095Z",
"dateUpdated": "2026-06-23T16:13:21.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11623 (GCVE-0-2026-11623)
Vulnerability from cvelistv5 – Published: 2026-06-09 03:15 – Updated: 2026-06-23 04:49 X_Open Source
VLAI
EPSS
Title
tmux image.c image_free use after free
Summary
A security vulnerability has been detected in tmux up to 3.6a. Affected is the function image_free of the file image.c. Such manipulation leads to use after free. Local access is required to approach this attack. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 3.7-rc is able to address this issue. The name of the patch is fc6d94a9f8a593bd8b7031650802084385d4ee03. The affected component should be upgraded.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369303 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369303/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11623 | third-party-advisory |
| https://vuldb.com/submit/835623 | third-party-advisory |
| https://gist.github.com/XlabAITeam/f0d9952595f795… | exploit |
| https://github.com/tmux/tmux/commit/fc6d94a9f8a59… | patch |
| https://github.com/tmux/tmux/releases/tag/3.7-rc | patch |
| https://github.com/tmux/tmux/ | product |
Impacted products
Credits
XlabAI (VulDB User)
XlabAI (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11623",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T13:28:02.658544Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T13:28:45.324Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:tmux:tmux:*:*:*:*:*:*:*:*"
],
"product": "tmux",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "3.6a"
},
{
"status": "unaffected",
"version": "3.7-rc"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "XlabAI (VulDB User)"
},
{
"lang": "en",
"type": "analyst",
"value": "XlabAI (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in tmux up to 3.6a. Affected is the function image_free of the file image.c. Such manipulation leads to use after free. Local access is required to approach this attack. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 3.7-rc is able to address this issue. The name of the patch is fc6d94a9f8a593bd8b7031650802084385d4ee03. The affected component should be upgraded."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.5,
"vectorString": "AV:L/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use After Free",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T04:49:28.666Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369303 | tmux image.c image_free use after free",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369303"
},
{
"name": "VDB-369303 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369303/cti"
},
{
"name": "CVE-2026-11623 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11623"
},
{
"name": "Submit #835623 | tmux \u003c= 3.6a Use After Free",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/835623"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/XlabAITeam/f0d9952595f795129a3258ba73bbc3cb"
},
{
"tags": [
"patch"
],
"url": "https://github.com/tmux/tmux/commit/fc6d94a9f8a593bd8b7031650802084385d4ee03"
},
{
"tags": [
"patch"
],
"url": "https://github.com/tmux/tmux/releases/tag/3.7-rc"
},
{
"tags": [
"product"
],
"url": "https://github.com/tmux/tmux/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-06-08T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-08T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-23T06:54:09.000Z",
"value": "VulDB entry last update"
}
],
"title": "tmux image.c image_free use after free"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11623",
"datePublished": "2026-06-09T03:15:12.467Z",
"dateReserved": "2026-06-08T20:19:58.448Z",
"dateUpdated": "2026-06-23T04:49:28.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11625 (GCVE-0-2026-11625)
Vulnerability from cvelistv5 – Published: 2026-06-26 08:07 – Updated: 2026-07-01 14:34
VLAI
EPSS
Title
Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes
Summary
Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes.
When an object is initialised before forking, or when the functional interface is used, then the internal state for the PRNG is shared across processes and identical random streams will be produced.
Secrets generated in multiprocess applications are predictable across processes.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-335 - Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/daoswald/Bytes-Random-Secure/i… | issue-tracking |
| https://github.com/daoswald/Bytes-Random-Secure/pull/4 | issue-tracking |
| https://security.metacpan.org/patches/B/Bytes-Ran… | patch |
| https://www.cve.org/CVERecord?id=CVE-2026-11702 | related |
| https://www.cve.org/CVERecord?id=CVE-2026-41564 | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| DAVIDO | Bytes::Random::Secure |
Affected:
0 , ≤ 0.29
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-11625",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T16:14:14.671944Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:14:22.833Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Bytes-Random-Secure",
"product": "Bytes::Random::Secure",
"programFiles": [
"lib/Bytes/Random/Secure.pm"
],
"repo": "https://github.com/daoswald/Bytes-Random-Secure",
"vendor": "DAVIDO",
"versions": [
{
"lessThanOrEqual": "0.29",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes.\n\nWhen an object is initialised before forking, or when the functional interface is used, then the internal state for the PRNG is shared across processes and identical random streams will be produced.\n\nSecrets generated in multiprocess applications are predictable across processes."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-335",
"description": "CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:34:43.953Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/daoswald/Bytes-Random-Secure/issues/3"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/daoswald/Bytes-Random-Secure/pull/4"
},
{
"tags": [
"patch"
],
"url": "https://security.metacpan.org/patches/B/Bytes-Random-Secure/0.29/CVE-2026-11625-r1.patch"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-11702"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41564"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-26T00:00:00.000Z",
"value": "Issue reported to CPANSec."
},
{
"lang": "en",
"time": "2026-06-08T00:00:00.000Z",
"value": "Maintainer notified."
},
{
"lang": "en",
"time": "2026-06-24T00:00:00.000Z",
"value": "Issue publicly reported on GitHub."
},
{
"lang": "en",
"time": "2026-06-30T00:00:00.000Z",
"value": "Patch merged."
}
],
"title": "Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes",
"workarounds": [
{
"lang": "en",
"value": "Apply the patch.\n\nOtherwise, only use the object-oriented interface and ensure that the object is only instantiated in a child process after forking.\n\nAlternatively, use a different module such as Crypt::PRNG, Crypt::SysRandom or Crypt::URandom."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-11625",
"datePublished": "2026-06-26T08:07:30.141Z",
"dateReserved": "2026-06-08T21:02:09.596Z",
"dateUpdated": "2026-07-01T14:34:43.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13595 (GCVE-0-2026-13595)
Vulnerability from cvelistv5 – Published: 2026-06-29 08:06 – Updated: 2026-06-30 02:14
VLAI
EPSS
Title
Util-linux: util-linux: heap use-after-free in libblkid nested partition probing
Summary
A flaw was found in the libblkid library of util-linux. During nested partition probing, the BSD, Minix, Solaris x86, and UnixWare partition probers cache a raw pointer to a parent partition entry in a dynamically allocated array. When subsequent partition additions cause the array to be reallocated, this pointer becomes stale, leading to a heap use-after-free read. An attacker who can present a crafted block device image (for example, via USB insertion or a loop-mounted disk image) can trigger this flaw without user interaction, as libblkid is invoked automatically by udev/udisks as root on block-device hot-plug events. This could lead to limited information disclosure or denial of service.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:26573 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2026-13595 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2494101 | issue-trackingx_refsource_REDHAT |
| https://github.com/util-linux/util-linux/commit/c… |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat Hardened Images |
Unaffected:
2.42.2-1.hum1 , < *
(rpm)
cpe:/a:redhat:hummingbird:1 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
Date Public
2026-05-07 00:00
Credits
Red Hat would like to thank Thai Duong (Calif.io in collaboration with Claude and Anthropic Research) for reporting this issue.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13595",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:50:15.269617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:50:26.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:hummingbird:1"
],
"defaultStatus": "affected",
"packageName": "util-linux-main",
"product": "Red Hat Hardened Images",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "2.42.2-1.hum1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"packageName": "util-linux",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "affected",
"packageName": "util-linux",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "util-linux",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "util-linux",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "affected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Thai Duong (Calif.io in collaboration with Claude and Anthropic Research) for reporting this issue."
}
],
"datePublic": "2026-05-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the libblkid library of util-linux. During nested partition probing, the BSD, Minix, Solaris x86, and UnixWare partition probers cache a raw pointer to a parent partition entry in a dynamically allocated array. When subsequent partition additions cause the array to be reallocated, this pointer becomes stale, leading to a heap use-after-free read. An attacker who can present a crafted block device image (for example, via USB insertion or a loop-mounted disk image) can trigger this flaw without user interaction, as libblkid is invoked automatically by udev/udisks as root on block-device hot-plug events. This could lead to limited information disclosure or denial of service."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T02:14:09.471Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2026:26573",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:26573"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-13595"
},
{
"name": "RHBZ#2494101",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494101"
},
{
"url": "https://github.com/util-linux/util-linux/commit/c0186f14fbdb02f64c8e0ba701ce727ea764ff4c"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-07T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-07T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Util-linux: util-linux: heap use-after-free in libblkid nested partition probing",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-416: Use After Free"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-13595",
"datePublished": "2026-06-29T08:06:09.059Z",
"dateReserved": "2026-06-29T07:20:52.583Z",
"dateUpdated": "2026-06-30T02:14:09.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14258 (GCVE-0-2026-14258)
Vulnerability from cvelistv5 – Published: 2026-07-01 09:24 – Updated: 2026-07-01 12:20
VLAI
EPSS
Title
Dhcpcd: dhcpcd infinite loop and out-of-bounds read via zero-length ipv6 nd option in router advertisement handling
Summary
A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass validation during packet storage and later be reparsed without adequate validation, causing the parser to enter a non-advancing loop. Successful exploitation may result in excessive CPU consumption, leading to a denial of service.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://access.redhat.com/security/cve/CVE-2026-14258 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2462305 | issue-trackingx_refsource_REDHAT |
| https://github.com/NetworkConfiguration/dhcpcd/co… | |
| https://github.com/NetworkConfiguration/dhcpcd/is… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
Date Public
2024-12-01 00:00
Credits
Red Hat would like to thank AISLE Research for reporting this issue.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14258",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T12:20:39.579180Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T12:20:42.349Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/NetworkConfiguration/dhcpcd/issues/415"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"packageName": "dhcpcd",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank AISLE Research for reporting this issue."
}
],
"datePublic": "2024-12-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in dhcpcd\u0027s IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass validation during packet storage and later be reparsed without adequate validation, causing the parser to enter a non-advancing loop. Successful exploitation may result in excessive CPU consumption, leading to a denial of service."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T09:24:51.479Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-14258"
},
{
"name": "RHBZ#2462305",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2462305"
},
{
"url": "https://github.com/NetworkConfiguration/dhcpcd/commit/75289ca"
},
{
"url": "https://github.com/NetworkConfiguration/dhcpcd/issues/415"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-26T18:47:11.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-12-01T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Dhcpcd: dhcpcd infinite loop and out-of-bounds read via zero-length ipv6 nd option in router advertisement handling",
"workarounds": [
{
"lang": "en",
"value": "Until an updated package is available, administrators should disable IPv6 Router Advertisement processing on interfaces where it is not required or restrict acceptance of untrusted ICMPv6 Router Advertisements using appropriate network filtering. \n\nSystems that rely on IPv6 Stateless Address Autoconfiguration (SLAAC) or Router Advertisement-based network configuration should carefully evaluate the operational impact before applying these mitigations."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-14258",
"datePublished": "2026-07-01T09:24:51.479Z",
"dateReserved": "2026-06-30T15:57:04.334Z",
"dateUpdated": "2026-07-01T12:20:42.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3196 (GCVE-0-2026-3196)
Vulnerability from cvelistv5 – Published: 2026-06-19 16:23 – Updated: 2026-06-22 15:54
VLAI
EPSS
Title
Qemu-kvm: virtio-snd: integer overflow leading to unbounded memory allocation
Summary
An integer overflow vulnerability was found in the virtio-snd device via PCM_INFO requests from the guest. A malicious guest can provide out-of-bounds stream counts, potentially leading to unbounded memory allocation on the host and a denial of service condition.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://access.redhat.com/security/cve/CVE-2026-3196 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2443789 | issue-trackingx_refsource_REDHAT |
Impacted products
7 products
| Vendor | Product | Version | |
|---|---|---|---|
|
Affected:
8.2.0 , ≤ 10.2.1
(semver)
|
|||
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 6 |
cpe:/o:redhat:enterprise_linux:6 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
|
| Red Hat | Red Hat OpenShift Container Platform 4 |
cpe:/a:redhat:openshift:4 |
Date Public
2026-02-20 00:00
Credits
Red Hat would like to thank Mingyuan Luo for reporting this issue.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3196",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T15:53:48.897784Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:54:04.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://gitlab.com/qemu-project/qemu",
"defaultStatus": "unaffected",
"packageName": "qemu",
"versions": [
{
"lessThanOrEqual": "10.2.1",
"status": "affected",
"version": "8.2.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unaffected",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unaffected",
"packageName": "qemu-kvm-ma",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "unaffected",
"packageName": "virt:rhel/qemu-kvm",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "qemu-kvm",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:openshift:4"
],
"defaultStatus": "unaffected",
"packageName": "rhcos",
"product": "Red Hat OpenShift Container Platform 4",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Mingyuan Luo for reporting this issue."
}
],
"datePublic": "2026-02-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An integer overflow vulnerability was found in the virtio-snd device via PCM_INFO requests from the guest. A malicious guest can provide out-of-bounds stream counts, potentially leading to unbounded memory allocation on the host and a denial of service condition."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T16:23:02.849Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-3196"
},
{
"name": "RHBZ#2443789",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443789"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-02T11:23:01.603Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-02-20T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Qemu-kvm: virtio-snd: integer overflow leading to unbounded memory allocation",
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-190: Integer Overflow or Wraparound"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2026-3196",
"datePublished": "2026-06-19T16:23:02.849Z",
"dateReserved": "2026-02-25T11:09:37.726Z",
"dateUpdated": "2026-06-22T15:54:04.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41579 (GCVE-0-2026-41579)
Vulnerability from cvelistv5 – Published: 2026-07-01 00:02 – Updated: 2026-07-01 13:35
VLAI
EPSS
Title
runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations
Summary
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions prior to 1.3.6, 1.4.0-rc.1, 1.4.0-rc.12, 1.5.0-rc.1, and 1.5.0-rc.1, when setting up the container rootfs, setupPtmx and setupDevSymlinks call os.Remove and os.Symlink with a filepath.Join string which allow an image with /dev as a symlink to trick runc into deleting files called ptmx on the host or creating a hardcoded set of symlinks with specific names and targets in an arbitrary pre-existing host directory. This issue is not exploitable under Docker, because Docker creates a top-level read-only layer that masks any malicious /dev symlink present in the container image — unlike some other Linux container tooling, whose higher-level runtimes built on runc remain exposed to exploitation via a malicious image. This issue has been fixed in versions 1.3.6, 1.4.3 and 1.5.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-61 - UNIX Symbolic Link (Symlink) Following
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/opencontainers/runc/security/a… | x_refsource_CONFIRM |
| https://github.com/opencontainers/runc/commit/864… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| opencontainers | runc |
Affected:
< 1.3.6
Affected: >= 1.4.0-rc.1, < 1.4.3 Affected: >= 1.5.0-rc.1, < 1.5.0-rc.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41579",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T13:34:05.348945Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:35:41.354Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "runc",
"vendor": "opencontainers",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.6"
},
{
"status": "affected",
"version": "\u003e= 1.4.0-rc.1, \u003c 1.4.3"
},
{
"status": "affected",
"version": "\u003e= 1.5.0-rc.1, \u003c 1.5.0-rc.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "runc is a CLI tool for spawning and running containers according to the OCI specification. In versions prior to 1.3.6, 1.4.0-rc.1, 1.4.0-rc.12, 1.5.0-rc.1, and 1.5.0-rc.1, when setting up the container rootfs, setupPtmx and setupDevSymlinks call os.Remove and os.Symlink with a filepath.Join string which allow an image with /dev as a symlink to trick runc into deleting files called ptmx on the host or creating a hardcoded set of symlinks with specific names and targets in an arbitrary pre-existing host directory. This issue is not exploitable under Docker, because Docker creates a top-level read-only layer that masks any malicious /dev\u00a0symlink present in the container image \u2014 unlike some other Linux container tooling, whose higher-level runtimes built on runc remain exposed to exploitation via a malicious image. This issue has been fixed in versions 1.3.6, 1.4.3 and 1.5.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T00:02:08.639Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opencontainers/runc/security/advisories/GHSA-xjvp-4fhw-gc47",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opencontainers/runc/security/advisories/GHSA-xjvp-4fhw-gc47"
},
{
"name": "https://github.com/opencontainers/runc/commit/864db8042dbb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opencontainers/runc/commit/864db8042dbb"
}
],
"source": {
"advisory": "GHSA-xjvp-4fhw-gc47",
"discovery": "UNKNOWN"
},
"title": "runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41579",
"datePublished": "2026-07-01T00:02:08.639Z",
"dateReserved": "2026-04-21T14:15:21.958Z",
"dateUpdated": "2026-07-01T13:35:41.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55199 (GCVE-0-2026-55199)
Vulnerability from cvelistv5 – Published: 2026-06-17 18:44 – Updated: 2026-06-18 15:31 X_Open Source
VLAI
EPSS
Title
libssh2 - Pre-Authentication DoS via SSH_MSG_EXT_INFO Handler
Summary
libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/libssh2/libssh2/pull/1864 | issue-tracking |
| https://github.com/libssh2/libssh2/commit/1762685… | patch |
| https://www.vulncheck.com/advisories/libssh2-pre-… | third-party-advisory |
Impacted products
Date Public
2026-04-15 00:00
Credits
Tristan Madani (@TristanInSec)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55199",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T15:31:38.712448Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T15:31:59.479Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "libssh2",
"repo": "https://github.com/libssh2/libssh2",
"vendor": "libssh2",
"versions": [
{
"lessThanOrEqual": "1.11.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "17626857d20b3c9a1addfa45979dadcee1cd84a4",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:libssh2:libssh2:*:*:*:*:*:*:*:*",
"versionEndIncluding": "1.11.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tristan Madani (@TristanInSec)"
}
],
"datePublic": "2026-04-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T11:45:37.547Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Pull Request",
"tags": [
"issue-tracking"
],
"url": "https://github.com/libssh2/libssh2/pull/1864"
},
{
"name": "Patch Commit",
"tags": [
"patch"
],
"url": "https://github.com/libssh2/libssh2/commit/17626857d20b3c9a1addfa45979dadcee1cd84a4"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/libssh2-pre-authentication-dos-via-ssh-msg-ext-info-handler"
}
],
"tags": [
"x_open-source"
],
"title": "libssh2 - Pre-Authentication DoS via SSH_MSG_EXT_INFO Handler",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-55199",
"datePublished": "2026-06-17T18:44:18.048Z",
"dateReserved": "2026-06-16T15:53:37.764Z",
"dateUpdated": "2026-06-18T15:31:59.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58058 (GCVE-0-2026-58058)
Vulnerability from cvelistv5 – Published: 2026-06-28 01:32 – Updated: 2026-06-29 14:53
VLAI
EPSS
Title
Nmap - Integer Underflow in IPv6 Extension Header Parsing
Summary
Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a crafted IPv6 response with a truncated extension header can trigger out-of-bounds reads and a crash during raw IPv6 scans.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-191 - Integer Underflow (Wrap or Wraparound)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/bikini/exploitarium/tree/main/… | exploitthird-party-advisory |
| https://github.com/nmap/nmap/commit/bb6754e76bb16… | patch |
| https://nmap.org/changelog.html | release-notes |
| https://www.vulncheck.com/advisories/nmap-integer… | third-party-advisory |
Date Public
2026-06-25 00:00
Credits
Himanshu Anand
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58058",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T14:49:07.833303Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T14:53:48.365Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Nmap",
"vendor": "Nmap",
"versions": [
{
"lessThanOrEqual": "7.99",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nmap:nmap:*:*:*:*:*:*:*:*",
"versionEndIncluding": "7.99",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Himanshu Anand"
}
],
"datePublic": "2026-06-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a crafted IPv6 response with a truncated extension header can trigger out-of-bounds reads and a crash during raw IPv6 scans."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS"
},
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T01:32:59.336Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Proof of Concept",
"tags": [
"exploit",
"third-party-advisory"
],
"url": "https://github.com/bikini/exploitarium/tree/main/nmap-ipv6-extlen-wrap-poc"
},
{
"name": "Fix commit (dev tree)",
"tags": [
"patch"
],
"url": "https://github.com/nmap/nmap/commit/bb6754e76bb1686315008e1aa1c40202a513fb83"
},
{
"name": "Nmap Change Log",
"tags": [
"release-notes"
],
"url": "https://nmap.org/changelog.html"
},
{
"name": "VulnCheck Advisory: Nmap - Integer Underflow in IPv6 Extension Header Parsing",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/nmap-integer-underflow-in-ipv6-extension-header-parsing"
}
],
"title": "Nmap - Integer Underflow in IPv6 Extension Header Parsing",
"x_generator": {
"engine": "vulncheck-endgame"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-58058",
"datePublished": "2026-06-28T01:32:59.336Z",
"dateReserved": "2026-06-28T00:58:47.763Z",
"dateUpdated": "2026-06-29T14:53:48.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…