Malcolm v26.05.1 is out?!? What, already? Déjà vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.

Malcolm v26.05.1 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.05.0...v26.05.1

• ✨ Features and enhancements
  • Improvements to alerting loopback webhook API endpoint (#971) (see also this discussion)
  • Add Suricata OT rules for D-Link HNAP abuse detection (#969) (Suricata detection for GHSA-m69q-2cfc-q63c / CVE-2026-8260; thanks @sercanokur)
  • Added the File Tree visualization dashboard which presents a hierarchical breakdown of files observed in network traffic, particularly with regards to archived files such as ZIP files or tarballs, allowing parent/child relationships between nested files to be explored. (thanks @sbhiens25)
• ✅ Component version updates
  • Filebeat to v9.4.1
  • Fluent Bit to v5.0.5
  • GitPython to v3.1.50 to address high vulnerabilities CVE-2026-44244, CVE-2026-44243, and CVE-2026-42284
  • Logstash to v9.4.1
  • NetBox to v4.5.x (#955)
    • This is a major NetBox release, up from v4.4.10. It's recommended that you back up your NetBox database before upgrading.
    • these NetBox plugins were also updated:
      • netbox-initializers to v4.5.1
      • netbox-topology-views to v4.5.1
      • Device-Type-Library-Import switched to marcinpsk/Device-Type-Library-Import fork
    • thanks to @boscard in this discussion for some tips on running NetBox docker on a base path.
  • OpenResty to v1.29.2.4, which, in addition to other fixes and changes, addresses the following CVEs
    • critical: RCE heap buffer overflow vulnerability in NGINX CVE-2026-42945 (#976)
    • high: Buffer overflow in ngx_http_dav_module CVE-2026-27654
    • high: Buffer overflow in the ngx_http_mp4_module CVE-2026-27784
    • high: Buffer overflow in the ngx_http_mp4_module CVE-2026-32647
    • high: NULL pointer dereference while using CRAM-MD5 or APOP CVE-2026-27651
    • medium: Injection in auth_http and XCLIENT CVE-2026-28753
    • medium: OCSP result bypass in stream CVE-2026-28755
    • high: SSL upstream injection CVE-2026-1642
  • urllib3 to v2.7.0 to address high vulnerabilities CVE-2026-44431 and CVE-2026-44432
• 🐛 Bug fixes
  • Reference Counting (Use-After-Free) Bug for PyList_SetItem in filescan's python-statfs (#960 #962)
  • Added a few missing Suricata fields (suricata.tc_progress, suricata.ts_progress, suricata.tunnel.pcap_cnt, suricata.tunnel.pkt_src) to the index mapping template
  • When suricata.app_proto_ts and/or suricata.app_proto_tc reported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination of proto_parse_failed, client_stream_failed, or server_stream_failed are added to tags.
  • Suricata's HTTP version was not being normalized to network.protocol_version.
• 🧹 Code and project maintenance
  • Added Malcolm Dashboard Reference to documentation
  • Completely rewrote Upgrading Malcolm in documentation
  • Updated links to protocols page in documentation for new Arkime protocol support (thanks @awick)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Malcolm v26.05.1 is out?!? What, already? Déjà vu? We bumped up to the timetable on this release as a critical vulnerability found in NGINX made it expedient for us to do so.

Malcolm v26.05.1 focuses heavily on security updates, most notably upgrading OpenResty to address a critical NGINX remote code execution heap buffer overflow vulnerability. It also adds new Suricata OT detections for D-Link HNAP abuse, improves alerting webhook support, introduces the File Tree dashboard, and includes Suricata parsing/mapping fixes and documentation updates. Several other components received version bumps as well.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.05.0...v26.05.1

• ✨ Features and enhancements
  • Improvements to alerting loopback webhook API endpoint (#971) (see also this discussion)
  • Add Suricata OT rules for D-Link HNAP abuse detection (#969) (Suricata detection for GHSA-m69q-2cfc-q63c / CVE-2026-8260; thanks @sercanokur)
  • Added the File Tree visualization dashboard which presents a hierarchical breakdown of files observed in network traffic, particularly with regards to archived files such as ZIP files or tarballs, allowing parent/child relationships between nested files to be explored. (thanks @sbhiens25)
• ✅ Component version updates
  • Filebeat to v9.4.1
  • Fluent Bit to v5.0.5
  • GitPython to v3.1.50 to address high vulnerabilities CVE-2026-44244, CVE-2026-44243, and CVE-2026-42284
  • Logstash to v9.4.1
  • NetBox to v4.5.x (#955)
    • This is a major NetBox release, up from v4.4.10. It's recommended that you back up your NetBox database before upgrading.
    • these NetBox plugins were also updated:
      • netbox-initializers to v4.5.1
      • netbox-topology-views to v4.5.1
      • Device-Type-Library-Import switched to marcinpsk/Device-Type-Library-Import fork
    • thanks to @boscard in this discussion for some tips on running NetBox docker on a base path.
  • OpenResty to v1.29.2.4, which, in addition to other fixes and changes, addresses the following CVEs
    • critical: RCE heap buffer overflow vulnerability in NGINX CVE-2026-42945 (#976)
    • high: Buffer overflow in ngx_http_dav_module CVE-2026-27654
    • high: Buffer overflow in the ngx_http_mp4_module CVE-2026-27784
    • high: Buffer overflow in the ngx_http_mp4_module CVE-2026-32647
    • high: NULL pointer dereference while using CRAM-MD5 or APOP CVE-2026-27651
    • medium: Injection in auth_http and XCLIENT CVE-2026-28753
    • medium: OCSP result bypass in stream CVE-2026-28755
    • high: SSL upstream injection CVE-2026-1642
  • urllib3 to v2.7.0 to address high vulnerabilities CVE-2026-44431 and CVE-2026-44432
• 🐛 Bug fixes
  • Reference Counting (Use-After-Free) Bug for PyList_SetItem in filescan's python-statfs (#960 #962)
  • Added a few missing Suricata fields (suricata.tc_progress, suricata.ts_progress, suricata.tunnel.pcap_cnt, suricata.tunnel.pkt_src) to the index mapping template
  • When suricata.app_proto_ts and/or suricata.app_proto_tc reported that protocol parsing had failed (due to malformed input data), invalid data could be stored in HTTP, DNS, and/or TLS fields. This is now detected and those invalid values are dropped, and some combination of proto_parse_failed, client_stream_failed, or server_stream_failed are added to tags.
  • Suricata's HTTP version was not being normalized to network.protocol_version.
• 🧹 Code and project maintenance
  • Added Malcolm Dashboard Reference to documentation
  • Completely rewrote Upgrading Malcolm in documentation
  • Updated links to protocols page in documentation for new Arkime protocol support (thanks @awick)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL