Threat Intelligence Database

Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl contain a heap-based out-of-bounds read vulnerability in the print_attribute UTF8STRING path. The function copies an ASN.1 UTF8STRING attribute value into a heap buffer sized exactly to the declared length without a null terminator. Subsequent calls to strlen() on this buffer cause reading beyond the allocated memory, potentially leaking adjacent heap data into a Perl scalar.

libde265 is an open source implementation of the h.265 video codec. Prior to version 1.1.0, a crafted H.265 bitstream with large SPS dimensions and 16-bit bit depth causes a signed integer overflow in `de265_image_get_buffer()` (`libde265/image.cc:128`). The overflow wraps the plane allocation size to a small value (~1 KB), but the subsequent `fill_image()` call computes the real size using `size_t`, writing ~4 GB into the undersized heap buffer. Version 1.1.0 patches the issue.

ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 2.0.0 through 3.0.8, the ProxySQL MySQL frontend accepts the `PROXY UNKNOWN <addr> <addr> <port> <port>\r\n` PP1 frame as a well-formed PROXY protocol header. The HAProxy PROXY protocol v1 specification says that when the protocol token is `UNKNOWN`, the receiver MUST ignore any address fields that follow it, because the proxy has declared it cannot determine the client identity. ProxySQL parses those address fields anyway via `sscanf` and writes the spoofed source address into the session's `addr.addr` field. From there it flows directly into the query-rule matcher, where the `client_addr` predicate decides routing and ACL. When `mysql-proxy_protocol_networks = '*'` (the default), any TCP peer can send a PP1 frame and choose any source IP claim. With that, any `mysql_query_rules` row pinned to a `client_addr` value is forgeable: the attacker writes the address they want to match into the PP1 line, and ProxySQL routes their query as if it came from that address. In practice this is a routing and ACL bypass. Real deployments use `client_addr` for read-write splitting (internal apps go to the primary, public traffic to read replicas), per-app schema pinning, and query-filter rules (DDL allowed only from admin CIDR, public queries blocked from dangerous patterns). An attacker that can reach the frontend port can forge their way into any of those routes. Version 3.0.9 patches this issue.

urllib3 version 2.6.3 is vulnerable to a decompression bomb bypass in its streaming API (`preload_content=False`) when using Brotli support. The issue arises due to three independent code paths in `response.py` that bypass the `max_length` protection introduced in version 2.6.0 to mitigate CVE-2025-66471. Specifically, negative `max_length` values can be produced due to buffer arithmetic in `read()`, `flush_decoder` unconditionally overrides `max_length` to `-1`, and `_flush_decoder()` passes no limit at all, defaulting to unlimited decompression. This allows a malicious HTTP server to trigger an out-of-memory (OOM) condition by decompressing large payloads into memory, leading to a denial of service (DoS). The vulnerability affects urllib3 2.6.3 and Brotli 1.2.0 and impacts applications and libraries using `requests` or `urllib3` to stream content from untrusted sources.

A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amount of memory, resulting in an out-of-memory crash. This could allow an authenticated user to trigger a denial of service against the Tempo service.

A flaw was found in the AWX GitHub webhook integration. When processing GitHub pull_request webhooks, the controller stores the pull_request.statuses_url value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub Personal Access Token as its webhook credential, the controller later POSTs that token to the stored callback URL when posting job status updates. An attacker who can submit a correctly signed forged webhook using the job template's webhook_key can redirect the callback to an attacker-controlled URL and exfiltrate the configured GitHub PAT.

The SUSE Linux Enterprise 12 SP5 kernel was updated to fix various security issues The following security issues were fixed: - CVE-2025-10263: arm64: Add workaround for Cortex-A76 erratum 1286807 (bsc#1266290). - CVE-2025-40253: s390/ctcm: Fix double-kfree (bsc#1255084). - CVE-2025-68822: Input: alps - fix use-after-free bugs caused by dev3_register_work (bsc#1256668). - CVE-2026-3150: bcache: fix cached_dev.sb_bio use-after-free and crash (bsc#1263169). - CVE-2026-23271: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race (bsc#1260018). - CVE-2026-23279: wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() (bsc#1260468). - CVE-2026-23303: smb: client: Don't log plaintext credentials in cifs_set_cifscreds (bsc#1260502). - CVE-2026-23367: wifi: radiotap: reject radiotap with unknown bits (bsc#1260731). - CVE-2026-23396: wifi: mac80211: fix NULL deref in mesh_matches_local() (bsc#1260729). - CVE-2026-23444: wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure (bsc#1266307). - CVE-2026-23448: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check (bsc#1261750). - CVE-2026-31405: media: dvb-net: fix OOB access in ULE extension header tables (bsc#1261700). - CVE-2026-31415: ipv6: avoid overflows in ip6_datagram_send_ctl() (bsc#1262099). - CVE-2026-31421: net/sched: cls_fw: fix NULL pointer dereference on shared blocks (bsc#1262061). - CVE-2026-31447: ext4: reject mount if bigalloc with s_first_data_block != 0 (bsc#1262614). - CVE-2026-31452: ext4: convert inline data to extents when truncate exceeds inline size (bsc#1262620). - CVE-2026-31464: scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() (bsc#1262656). - CVE-2026-31469: virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false (bsc#1267816). - CVE-2026-31498: Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop (bsc#1262751). - CVE-2026-31500: Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock (bsc#1262993). - CVE-2026-31515: af_key: validate families in pfkey_send_migrate() (bsc#1262752). - CVE-2026-31516: xfrm: prevent policy_hthresh.work from racing with netns teardown (bsc#1262755). - CVE-2026-31532: can: af_can: export can_sock_destruct() (bsc#1262757). - CVE-2026-31540: drm/i915/gt: Check set_default_submission() before deferencing (bsc#1263011). - CVE-2026-31546: net: bonding: fix NULL deref in bond_debug_rlb_hash_show (bsc#1263006). - CVE-2026-31588: KVM: x86: Use scratch field in MMIO fragment to hold small write values (bsc#1263165). - CVE-2026-31590: KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION (bsc#1263152). - CVE-2026-31596: ocfs2: handle invalid dinode in ocfs2_group_extend (bsc#1263319). - CVE-2026-31629: nfc: llcp: add missing return after LLCP_CLOSED checks (bsc#1263790). - CVE-2026-31664: string.h: Introduce memset_after() for wiping trailing members/padding (bsc#1263578). - CVE-2026-31668: seg6: separate dst_cache for input and output paths in seg6 lwtunnel (bsc#1263140). - CVE-2026-31671: xfrm_user: fix info leak in build_report() (bsc#1263115). - CVE-2026-31673: af_unix: read UNIX_DIAG_VFS data under unix_state_lock (bsc#1263143). - CVE-2026-31674: netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check() (bsc#1263568). - CVE-2026-31678: openvswitch: defer tunnel netdev_put to RCU release (bsc#1263562). - CVE-2026-31759: usb: ulpi: fix double free in ulpi_register_interface() error path (bsc#1264076). - CVE-2026-31778: ALSA: caiaq: fix stack out-of-bounds read in init_card (bsc#1263923). - CVE-2026-43020: Bluetooth: MGMT: validate LTK enc_size on load (bsc#1264006). - CVE-2026-43024: netfilter: nf_tables: reject immediate NF_QUEUE verdict (bsc#1263930). - CVE-2026-43026: netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent (bsc#1263932). - CVE-2026-43028: netfilter: x_tables: ensure names are nul-terminated (bsc#1263934). - CVE-2026-43037: ip6_tunnel: clear skb2->cb in ip4ip6_err() (bsc#1263995). - CVE-2026-43038: ipv6: icmp: clear skb2->cb in ip6_err_gen_icmpv6_unreach() (bsc#1264097). - CVE-2026-43040: net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info- leak (bsc#1264091). - CVE-2026-43052: wifi: mac80211: check tdls flag in ieee80211_tdls_oper (bsc#1263945). - CVE-2026-43077: crypto: algif_aead - Fix minimum RX size check for decryption (bsc#1264470). - CVE-2026-43140: HID: magicmouse: Do not crash on missing msc->input (bsc#1264630). - CVE-2026-43158: xfs: fix freemap adjustments when adding xattrs to leaf blocks (bsc#1264595). - CVE-2026-43187: xfs: delete attr leaf freemap entries when empty (bsc#1264603). - CVE-2026-43198: tcp: fix potential race in tcp_v6_syn_recv_sock() (bsc#1264610). - CVE-2026-43206: drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set() (bsc#1264551). - CVE-2026-43234: team: avoid NETDEV_CHANGEMTU event when unregistering slave (bsc#1264409). - CVE-2026-43338: btrfs: re

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` fetches the content of option values server-side via `file_get_contents()` when the value looks like a URL, without restricting the URL scheme. The `attachment` option of `Pdf` is the reachable sink: any value that passes `isOptionUrl()` (`filter_var(..., FILTER_VALIDATE_URL)`) is downloaded by the PHP process and embedded into the generated PDF. Because `FILTER_VALIDATE_URL` accepts `http`, `https`, `ftp`, `file` and PHP stream wrappers such as `php://`, an attacker who can influence the `attachment` value reaches both a **Server-Side Request Forgery** primitive (e.g. internal HTTP endpoints, cloud metadata) and a local file disclosure primitive (`file://`, `php://filter/...`), with the fetched bytes exfiltrated as a PDF attachment. This is the same class of issue KnpLabs/snappy patched for its `xsl-style-sheet` option in GHSA-c5fp-p67m-gq56. The library is documented as a one-to-one substitute for KnpLabs/snappy and shares the same code shape. PhpWeasyPrint version 2.6.0 contains a patch for the issue.

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets. This requires a front-end template that passes request input into a tag's sort parameter. It is not exploitable by default — a template would need to be explicitly set up to sort by a visitor-controlled value. This has been fixed in 5.73.23 and 6.20.0.

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources. Depending on the resource, this could expose titles, custom field values, entry content, asset metadata, and the existence of users, roles, and groups. No data could be modified. This has been fixed in 5.73.23 and 6.20.0.