Overview
Description
In the Linux kernel, the following vulnerability has been resolved:
ALSA: aloop: Fix racy access at PCM trigger
The PCM trigger callback of aloop driver tries to check the PCM state
and stop the stream of the tied substream in the corresponding cable.
Since both check and stop operations are performed outside the cable
lock, this may result in UAF when a program attempts to trigger
frequently while opening/closing the tied stream, as spotted by
fuzzers.
For addressing the UAF, this patch changes two things:
- It covers the most of code in loopback_check_format() with
cable->lock spinlock, and add the proper NULL checks. This avoids
already some racy accesses.
- In addition, now we try to check the state of the capture PCM stream
that may be stopped in this function, which was the major pain point
leading to UAF.
Statistics
- 1 Post
Last activity: 8 hours ago
Overview
Description
Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network.
Statistics
- 1 Post
Last activity: 4 hours ago
Overview
Description
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
Statistics
- 1 Post
Last activity: 2 hours ago
Overview
- Moxa
- EDR-8010 Series
27 Apr 2026
Published
27 Apr 2026
Updated
CVSS v4.0
MEDIUM (6.0)
EPSS
0.04%
KEV
Description
An improper ownership management vulnerability has been identified in Moxa’s Secure Router. Because of improper ownership management, a low-privileged authenticated user may access a configuration file containing the hashed password of the administrative account. Successful exploitation of this vulnerability could allow an attacker to obtain sensitive information. Exploitation is only possible under a specific condition — when the configuration file has been exported. This vulnerability does not impact the integrity or availability of the affected product, and no confidentiality, integrity, or availability impact to the subsequent system has been identified.
Statistics
- 1 Post
Last activity: 5 hours ago
Overview
Description
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.
Statistics
- 1 Post
Last activity: 2 hours ago
Overview
Description
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
Statistics
- 1 Post
Last activity: 2 hours ago
Overview
- grpc
- grpc-go
20 Mar 2026
Published
24 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
0.02%
KEV
Description
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.
Statistics
- 5 Posts
Last activity: 2 hours ago
Bluesky
This addresses the following vulnerabilities: CVE-2026-34040 CVE-2026-33186 CVE-2026-24051 N/A Security fixes for apigee-prometheus-adapter. This addresses the following vulnerabilities: CVE-2026-33186 CVE-2026-24051 N/A Security fixes for apigee-redis
CVE-2015-0244 CVE-2015-0243 CVE-2015-0241 N/A Security fixes for apigee-udca. This addresses the following vulnerability: CVE-2026-33186 Sidecar authentication for Workload Identity Federation on non-GKE platforms Starting in version v1.14.4, you can now use a sidecar along
This addresses the following vulnerabilities: CVE-2026-24051 CVE-2025-61729 CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2026-33186 N/A Security fixes for apigee-mint-task-scheduler
Overview
Description
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
Statistics
- 1 Post
Last activity: 2 hours ago
Overview
- open-telemetry
- opentelemetry-go
02 Feb 2026
Published
03 Feb 2026
Updated
CVSS v3.1
HIGH (7.0)
EPSS
0.01%
KEV
Description
OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.
Statistics
- 4 Posts
Last activity: 2 hours ago
Bluesky
This addresses the following vulnerabilities: CVE-2026-34040 CVE-2026-33186 CVE-2026-24051 N/A Security fixes for apigee-prometheus-adapter. This addresses the following vulnerabilities: CVE-2026-33186 CVE-2026-24051 N/A Security fixes for apigee-redis
This addresses the following vulnerabilities: CVE-2026-24051 CVE-2025-61729 CVE-2025-61723 CVE-2025-58188 CVE-2025-58187 CVE-2026-33186 N/A Security fixes for apigee-mint-task-scheduler
Overview
Description
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.
Statistics
- 3 Posts
Last activity: 2 hours ago
Bluesky
This addresses the following vulnerabilities: CVE-2026-34040 CVE-2026-33186 CVE-2026-24051 N/A Security fixes for apigee-prometheus-adapter. This addresses the following vulnerabilities: CVE-2026-33186 CVE-2026-24051 N/A Security fixes for apigee-redis