24h | 7d | 30d

CVE-2026-32778

Overview

  • libexpat project
  • libexpat
16 Mar 2026
Published
17 Mar 2026
Updated
CVSS v3.1
LOW (2.9)
EPSS
0.00%
KEV

Description

libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.

Statistics

  • 1 Post
Last activity: 18 hours ago

Bluesky

Profile picture fallback
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
#SUSE mozjs60 DoS vulnerabilities (CVE-2026-32776, CVE-2026-32777, CVE-2026-32778). Check your system, automate patching with a script, and harden with iptables/AppArmor Read more -> tinyurl.com/5xxr7ecx #Security
  • 0
  • 0
  • 0
  • 18h ago

CVE-2026-43500

Overview

  • Linux
  • Linux
11 May 2026
Published
11 May 2026
Updated
CVSS
Pending
EPSS
0.01%
KEV

Description

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.

Statistics

  • 1 Post
Last activity: 5 hours ago

Fediverse

Profile picture fallback
InfoQ @infoq

Two recent #Linux kernel vulnerabilities have been disclosed:
➡️ Copy Fail (CVE-2026-31431)
➡️ Dirty Frag (CVE-2026-43284 & CVE-2026-43500)

Both vulnerabilities exploit flaws in the page cache via different subsystems, necessitating immediate patching by affected organizations.

More details on #InfoQ ➡️ bit.ly/4dHOx47

#DevOps #SecurityVulnerabilities

  • 0
  • 0
  • 0
  • 5h ago

CVE-2026-32776

Overview

  • libexpat project
  • libexpat
16 Mar 2026
Published
16 Mar 2026
Updated
CVSS v3.1
MEDIUM (4.0)
EPSS
0.00%
KEV

Description

libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.

Statistics

  • 1 Post
Last activity: 18 hours ago

Bluesky

Profile picture fallback
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
#SUSE mozjs60 DoS vulnerabilities (CVE-2026-32776, CVE-2026-32777, CVE-2026-32778). Check your system, automate patching with a script, and harden with iptables/AppArmor Read more -> tinyurl.com/5xxr7ecx #Security
  • 0
  • 0
  • 0
  • 18h ago

CVE-2026-32177

Overview

  • Microsoft
  • .NET 10.0
12 May 2026
Published
13 May 2026
Updated
CVSS v3.1
HIGH (7.3)
EPSS
0.09%
KEV

Description

Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 22 hours ago

Fediverse

Profile picture fallback
Brandon H :csharp: :verified: @bc3tech

via @dotnet : .NET and .NET Framework May 2026 servicing releases updates

ift.tt/nkE2LOt
#dotnet #dotnetframework #May2026 #servicingupdates #securityupdates #cve202632177 #cve202635433 #cve202632175 #cve202642899 #release8 #dotnet10 #dotnet9 #dotnet8 #a

  • 1
  • 0
  • 0
  • 22h ago

CVE-2026-32175

Overview

  • Microsoft
  • .NET 10.0
12 May 2026
Published
13 May 2026
Updated
CVSS v3.1
MEDIUM (4.3)
EPSS
0.08%
KEV

Description

A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited control over the destination of the files and directories. To exploit the vulnerability, an attacker must send a specially crafted file to a vulnerable system. The security update fixes the vulnerability by ensuring .NET Core properly handles files.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 22 hours ago

Fediverse

Profile picture fallback
Brandon H :csharp: :verified: @bc3tech

via @dotnet : .NET and .NET Framework May 2026 servicing releases updates

ift.tt/nkE2LOt
#dotnet #dotnetframework #May2026 #servicingupdates #securityupdates #cve202632177 #cve202635433 #cve202632175 #cve202642899 #release8 #dotnet10 #dotnet9 #dotnet8 #a

  • 1
  • 0
  • 0
  • 22h ago

CVE-2026-35433

Overview

  • Microsoft
  • .NET 10.0
12 May 2026
Published
13 May 2026
Updated
CVSS v3.1
HIGH (7.3)
EPSS
0.11%
KEV

Description

Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 22 hours ago

Fediverse

Profile picture fallback
Brandon H :csharp: :verified: @bc3tech

via @dotnet : .NET and .NET Framework May 2026 servicing releases updates

ift.tt/nkE2LOt
#dotnet #dotnetframework #May2026 #servicingupdates #securityupdates #cve202632177 #cve202635433 #cve202632175 #cve202642899 #release8 #dotnet10 #dotnet9 #dotnet8 #a

  • 1
  • 0
  • 0
  • 22h ago

CVE-2026-42899

Overview

  • Microsoft
  • .NET 10.0
12 May 2026
Published
13 May 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.04%
KEV

Description

Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 22 hours ago

Fediverse

Profile picture fallback
Brandon H :csharp: :verified: @bc3tech

via @dotnet : .NET and .NET Framework May 2026 servicing releases updates

ift.tt/nkE2LOt
#dotnet #dotnetframework #May2026 #servicingupdates #securityupdates #cve202632177 #cve202635433 #cve202632175 #cve202642899 #release8 #dotnet10 #dotnet9 #dotnet8 #a

  • 1
  • 0
  • 0
  • 22h ago

CVE-2026-43969

Overview

  • ninenines
  • cowlib
  • cowlib
11 May 2026
Published
12 May 2026
Updated
CVSS v4.0
LOW (2.1)
EPSS
0.02%
KEV

Description

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields. cow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject ;, ,, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting "; admin=1" to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (parse_cookie_name/1, parse_cookie_value/1) and setcookie/3 already validate and reject these characters; the encoder alone is missing the check. This issue affects cowlib from 2.9.0.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: Last hour

Fediverse

Profile picture fallback
Tyler A. Young 🧑🏻‍💻⚗️ @tylerayoung

There have been a heap of CVEs published against the typical #ElixirLang + Phoenix web stack in the last few days. If your mix.lock has any of:

- cowboy < 2.15.0
- cowlib < 2.16.1
- plug < 1.19.2
- bandit < 1.11.1

...you may be vulnerable!

CVEs:

- cna.erlef.org/cves/CVE-2026-84
- cna.erlef.org/cves/CVE-2026-43
- cna.erlef.org/cves/CVE-2026-77
- cna.erlef.org/cves/CVE-2026-43
- cna.erlef.org/cves/CVE-2026-84

  • 0
  • 1
  • 0
  • Last hour

CVE-2026-8466

Overview

  • ninenines
  • cowboy
  • cowboy
13 May 2026
Published
14 May 2026
Updated
CVSS v4.0
HIGH (8.2)
EPSS
0.02%
KEV

Description

Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing. cowboy_req:read_part/3 in src/cowboy_req.erl accumulates incoming request bytes into a Buffer binary with no upper-bound check. When cow_multipart:parse_headers/2 returns more or {more, Buffer2}, the function reads up to Length bytes (default 64 KB) from the request body and recurses with the enlarged buffer. There is no equivalent of the byte_size(Acc) > Length guard present in the sibling function read_part_body/4. An unauthenticated attacker can send a multipart/form-data request whose body never yields a complete header section — for example, a body that never contains the advertised boundary delimiter, or one whose header lines never contain \r\n\r\n — and force the server process to accumulate memory linearly with the bytes the protocol layer is willing to deliver. A handful of concurrent such uploads is sufficient to exhaust BEAM memory. This issue affects cowboy from 2.0.0 before 2.15.0.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: Last hour

Fediverse

Profile picture fallback
Tyler A. Young 🧑🏻‍💻⚗️ @tylerayoung

There have been a heap of CVEs published against the typical #ElixirLang + Phoenix web stack in the last few days. If your mix.lock has any of:

- cowboy < 2.15.0
- cowlib < 2.16.1
- plug < 1.19.2
- bandit < 1.11.1

...you may be vulnerable!

CVEs:

- cna.erlef.org/cves/CVE-2026-84
- cna.erlef.org/cves/CVE-2026-43
- cna.erlef.org/cves/CVE-2026-77
- cna.erlef.org/cves/CVE-2026-43
- cna.erlef.org/cves/CVE-2026-84

  • 0
  • 1
  • 0
  • Last hour

CVE-2026-7790

Overview

  • ninenines
  • cowlib
  • cowlib
11 May 2026
Published
12 May 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.08%
KEV

Description

Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation. The chunked transfer-encoding parser in cow_http_te accepts an unbounded number of hex digits in the chunk-size field. Each digit causes a bignum multiplication (Len * 16 + digit), so parsing N hex digits requires O(N²) CPU work and O(N) memory. Additionally, when input is drip-fed, the parser discards the accumulated length on each partial read and restarts from zero on resumption, raising the cost to O(N³). An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a very long chunk-size hex string to cause denial of service through CPU exhaustion and memory amplification. This vulnerability is associated with program file src/cow_http_te.erl and program routines cow_http_te:stream_chunked/2, cow_http_te:chunked_len/4. This issue affects cowlib: from 0.6.0 before 2.16.1.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: Last hour

Fediverse

Profile picture fallback
Tyler A. Young 🧑🏻‍💻⚗️ @tylerayoung

There have been a heap of CVEs published against the typical #ElixirLang + Phoenix web stack in the last few days. If your mix.lock has any of:

- cowboy < 2.15.0
- cowlib < 2.16.1
- plug < 1.19.2
- bandit < 1.11.1

...you may be vulnerable!

CVEs:

- cna.erlef.org/cves/CVE-2026-84
- cna.erlef.org/cves/CVE-2026-43
- cna.erlef.org/cves/CVE-2026-77
- cna.erlef.org/cves/CVE-2026-43
- cna.erlef.org/cves/CVE-2026-84

  • 0
  • 1
  • 0
  • Last hour
Showing 71 to 80 of 82 CVEs