π¨ CVE-2026-43284
In the Linux kernel, the following vulnerability has been resolved:
xfrm: esp: avoid in-place decrypt on shared skb frags
MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP
marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),
so later paths that may modify packet data can first make a private
copy. The IPv4/IPv6 datagram append paths did not set this flag when
splicing pages into UDP skbs.
That leaves an ESP-in-UDP packet made from shared pipe pages looking
like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW
fast path for uncloned skbs without a frag_list and decrypts in place
over data that is not owned privately by the skb.
Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching
TCP. Also make ESP input fall back to skb_cow_data() when the flag is
present, so ESP does not decrypt externally backed frags in place.
Private nonlinear skb frags still use the existing fast path.
This intentionally does not change ESP output. In esp_output_head(),
the path that appends the ESP trailer to existing skb tailroom without
calling skb_cow_data() is not reachable for nonlinear skbs:
skb_tailroom() returns zero when skb->data_len is nonzero, while ESP
tailen is positive. Thus ESP output will either use the separate
destination-frag path or fall back to skb_cow_data().
π@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
xfrm: esp: avoid in-place decrypt on shared skb frags
MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP
marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),
so later paths that may modify packet data can first make a private
copy. The IPv4/IPv6 datagram append paths did not set this flag when
splicing pages into UDP skbs.
That leaves an ESP-in-UDP packet made from shared pipe pages looking
like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW
fast path for uncloned skbs without a frag_list and decrypts in place
over data that is not owned privately by the skb.
Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching
TCP. Also make ESP input fall back to skb_cow_data() when the flag is
present, so ESP does not decrypt externally backed frags in place.
Private nonlinear skb frags still use the existing fast path.
This intentionally does not change ESP output. In esp_output_head(),
the path that appends the ESP trailer to existing skb tailroom without
calling skb_cow_data() is not reachable for nonlinear skbs:
skb_tailroom() returns zero when skb->data_len is nonzero, while ESP
tailen is positive. Thus ESP output will either use the separate
destination-frag path or fall back to skb_cow_data().
π@cveNotify
π¨ CVE-2026-41163
bubblewrap is a low-level unprivileged sandboxing tool. From version 0.11.0 to before version 0.11.2, if bubblewrap is installed in setuid mode then the user can use ptrace to attach to bubblewrap and control the unprivileged part of the sandbox setup phase. This allows the attacker to arbitrarily use the privileged operations, and in particular the "overlay mount" operation, allowing the creation of overlay mounts which is otherwise not allowed in the setuid version of bubblewrap. This issue has been patched in version 0.11.2.
π@cveNotify
bubblewrap is a low-level unprivileged sandboxing tool. From version 0.11.0 to before version 0.11.2, if bubblewrap is installed in setuid mode then the user can use ptrace to attach to bubblewrap and control the unprivileged part of the sandbox setup phase. This allows the attacker to arbitrarily use the privileged operations, and in particular the "overlay mount" operation, allowing the creation of overlay mounts which is otherwise not allowed in the setuid version of bubblewrap. This issue has been patched in version 0.11.2.
π@cveNotify
GitHub
Release Release 0.11.2 Β· containers/bubblewrap
This is a security update for CVE-2026-41163, which affects any system using bubblewrap 0.11.x using a setuid bubblewrap. Anyone using this should update to this release (or stop using setuid mode)...
π¨ CVE-2026-42294
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint, which is publicly accessible (albeit intended for webhooks). An attacker can send a request with an extremely large body (e.g., multiple gigabytes), causing the Argo Server to allocate excessive memory, potentially leading to an Out-Of-Memory (OOM) crash and denial of service. This issue has been patched in versions 3.7.14 and 4.0.5.
π@cveNotify
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint, which is publicly accessible (albeit intended for webhooks). An attacker can send a request with an extremely large body (e.g., multiple gigabytes), causing the Argo Server to allocate excessive memory, potentially leading to an Out-Of-Memory (OOM) crash and denial of service. This issue has been patched in versions 3.7.14 and 4.0.5.
π@cveNotify
GitHub
Merge commit from fork Β· argoproj/argo-workflows@7abb4de
Prevent denial-of-service via oversized webhook payloads by limiting
the request body read to 2MB using io.LimitReader.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
the request body read to 2MB using io.LimitReader.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
π¨ CVE-2026-42296
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, override pod security context, add tolerations to schedule on control-plane nodes, or enable SA token mounting. This defeats the stated purpose of the feature. The practical impact depends on what Kubernetes-level controls are in place. Clusters with PodSecurity admission or OPA/Gatekeeper would independently block some of these (like hostNetwork). Clusters that rely on Argo's Strict mode as the primary enforcement layer are fully exposed. This issue has been patched in versions 3.7.14 and 4.0.5.
π@cveNotify
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, override pod security context, add tolerations to schedule on control-plane nodes, or enable SA token mounting. This defeats the stated purpose of the feature. The practical impact depends on what Kubernetes-level controls are in place. Clusters with PodSecurity admission or OPA/Gatekeeper would independently block some of these (like hostNetwork). Clusters that rely on Argo's Strict mode as the primary enforcement layer are fully exposed. This issue has been patched in versions 3.7.14 and 4.0.5.
π@cveNotify
GitHub
Merge commit from fork Β· argoproj/argo-workflows@534f4ff
podSpecPatch on a user-submitted Workflow bypasses all security
settings defined in the referenced WorkflowTemplate, even when
templateReferencing is set to Strict or Secure. The Strict mode
check ...
settings defined in the referenced WorkflowTemplate, even when
templateReferencing is set to Strict or Secure. The Strict mode
check ...
π¨ CVE-2026-42297
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operations (create, read, update, delete). Any authenticated user β including those using fake Bearer tokens β can create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits. This issue has been patched in version 4.0.5.
π@cveNotify
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operations (create, read, update, delete). Any authenticated user β including those using fake Bearer tokens β can create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits. This issue has been patched in version 4.0.5.
π@cveNotify
GitHub
Merge commit from fork Β· argoproj/argo-workflows@09fff05
The configmap sync endpoints relied solely on the kube client's identity
for RBAC, which is only effective in Client auth mode. In Server or SSO
(without RBAC) modes, the server's o...
for RBAC, which is only effective in Client auth mode. In Server or SSO
(without RBAC) modes, the server's o...
π¨ CVE-2026-42246
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.
π@cveNotify
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.
π@cveNotify
GitHub
π Merge pull request #664 from ruby/security/STARTTLS-stripping Β· ruby/net-imap@0ede4c4
π Fix STARTTLS stripping vulnerability
π¨ CVE-2026-42258
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
π@cveNotify
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
π@cveNotify
GitHub
Release v0.4.24 Β· ruby/net-imap
ImportantThe 0.4.x release branch will only receive security fixes, and will be unsupported when ruby 3.3 is EOL.
Please upgrade to a newer version.
What's Changed
π Security
This release cont...
Please upgrade to a newer version.
What's Changed
π Security
This release cont...
π¨ CVE-2025-14179
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
π@cveNotify
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
π@cveNotify
GitHub
SQL injection in pdo_firebird via NUL bytes in quoted strings
Improper handling of NUL bytes during the preparation of Firebird SQL queries leads to sections of the of the query being dropped. NUL bytes can find their way into queries even under regular circu...
π¨ CVE-2026-6722
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
π@cveNotify
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
π@cveNotify
GitHub
Use-After-Free in SOAP using Apache map with Remote Code Execution
ext-soap supports deduplicating objects in the XML graph through `id` and `href`. When traversing the XML graph, ext-soap will remember all plain PHP objects using the hash map `SOAP_GLOBAL(ref_map...
π¨ CVE-2026-7262
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
π@cveNotify
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
π@cveNotify
GitHub
NULL pointer dereference in SOAP apache:Map decoder with missing <value>
`to_zval_map()` in `ext/soap/php_encoding.c` decodes `apache:Map` nodes. The `<key>` branch correctly guards against missing keys, but the `<value>` branch rechecks `xmlKey` instead of ...
π¨ CVE-2026-7568
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.
π@cveNotify
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.
π@cveNotify
GitHub
Signed integer overflow in metaphone()
**Researcher: Aleksey Solovev (Positive Technologies)**
The PHP standard library provides the function `metaphone()` (php-src/ext/standard/metaphone.c). This function is used for searching and m...
The PHP standard library provides the function `metaphone()` (php-src/ext/standard/metaphone.c). This function is used for searching and m...
π¨ CVE-2026-6104
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
π@cveNotify
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
π@cveNotify
GitHub
Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding
## Summary
A global buffer over-read exists in `mbfl_name2encoding_ex()` (`ext/mbstring/libmbfl/mbfl/mbfl_encoding.c`, line 352), called from `mb_convert_encoding(...)` and other mbstring functi...
A global buffer over-read exists in `mbfl_name2encoding_ex()` (`ext/mbstring/libmbfl/mbfl/mbfl_encoding.c`, line 352), called from `mb_convert_encoding(...)` and other mbstring functi...
π¨ CVE-2026-7263
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.
π@cveNotify
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.
π@cveNotify
GitHub
DoS attack via DOMNode::C14N()
**Researcher: Nikita Sveshnikov (Positive Technologies)**
In `DOMNode::C14N()`, improper removal of a `xmlns` libxml2 attribute from a doubly linked list can lead to a corrupt, circular linked l...
In `DOMNode::C14N()`, improper removal of a `xmlns` libxml2 attribute from a doubly linked list can lead to a corrupt, circular linked l...
π¨ CVE-2026-45186
In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.
π@cveNotify
In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.
π@cveNotify
GitHub
[CVE-2026-45186] Prevent attribute collision check DoS by hartwork Β· Pull Request #1216 Β· libexpat/libexpat
Attack payload generator (use responsibly) download: attribute_collision_check_payload_2.py
# python3 attribute_collision_check_payload_2.py 5
<!DOCTYPE d [
<!ATTLIST e a0 CDATA &am...
# python3 attribute_collision_check_payload_2.py 5
<!DOCTYPE d [
<!ATTLIST e a0 CDATA &am...
π¨ CVE-2026-8177
XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences.
A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory.
Any Perl process that passes attacker controlled strings to XML::LibXML's DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service.
π@cveNotify
XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences.
A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory.
Any Perl process that passes attacker controlled strings to XML::LibXML's DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service.
π@cveNotify
π¨ CVE-2026-43500
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true. An skb
that is not cloned but still carries externally-owned paged fragments
(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
__ip_append_data, or a chained skb_has_frag_list()) falls through to
the in-place decryption path, which binds the frag pages directly into
the AEAD/skcipher SGL via skb_to_sgvec().
Extend the gate to also unshare when skb_has_frag_list() or
skb_has_shared_frag() is true. This catches the splice-loopback vector
and other externally-shared frag sources while preserving the
zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
page_pool RX, GRO). The OOM/trace handling already in place is reused.
π@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true. An skb
that is not cloned but still carries externally-owned paged fragments
(e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via
__ip_append_data, or a chained skb_has_frag_list()) falls through to
the in-place decryption path, which binds the frag pages directly into
the AEAD/skcipher SGL via skb_to_sgvec().
Extend the gate to also unshare when skb_has_frag_list() or
skb_has_shared_frag() is true. This catches the splice-loopback vector
and other externally-shared frag sources while preserving the
zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC
page_pool RX, GRO). The OOM/trace handling already in place is reused.
π@cveNotify
π¨ CVE-2026-4802
A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise.
π@cveNotify
A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise.
π@cveNotify
π¨ CVE-2026-4890
A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
π@cveNotify
A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
π@cveNotify
GitHub
dnsmasq: 2.92 -> 2.92rel2 by LeSuisse Β· Pull Request #519082 Β· NixOS/nixpkgs
Fixes CVE-2026-2291
Fixes CVE-2026-4890
Fixes CVE-2026-4891
Fixes CVE-2026-4892
Fixes CVE-2026-4893
Fixes CVE-2026-5172
https://kb.cert.org/vuls/id/471747
Changelog:
version 2.92rel2
2.92 p...
Fixes CVE-2026-4890
Fixes CVE-2026-4891
Fixes CVE-2026-4892
Fixes CVE-2026-4893
Fixes CVE-2026-5172
https://kb.cert.org/vuls/id/471747
Changelog:
version 2.92rel2
2.92 p...
π¨ CVE-2026-4891
A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
π@cveNotify
A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
π@cveNotify
GitHub
dnsmasq: 2.92 -> 2.92rel2 by LeSuisse Β· Pull Request #519082 Β· NixOS/nixpkgs
Fixes CVE-2026-2291
Fixes CVE-2026-4890
Fixes CVE-2026-4891
Fixes CVE-2026-4892
Fixes CVE-2026-4893
Fixes CVE-2026-5172
https://kb.cert.org/vuls/id/471747
Changelog:
version 2.92rel2
2.92 p...
Fixes CVE-2026-4890
Fixes CVE-2026-4891
Fixes CVE-2026-4892
Fixes CVE-2026-4893
Fixes CVE-2026-5172
https://kb.cert.org/vuls/id/471747
Changelog:
version 2.92rel2
2.92 p...
π¨ CVE-2026-4892
A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet.
π@cveNotify
A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet.
π@cveNotify
GitHub
dnsmasq: 2.92 -> 2.92rel2 by LeSuisse Β· Pull Request #519082 Β· NixOS/nixpkgs
Fixes CVE-2026-2291
Fixes CVE-2026-4890
Fixes CVE-2026-4891
Fixes CVE-2026-4892
Fixes CVE-2026-4893
Fixes CVE-2026-5172
https://kb.cert.org/vuls/id/471747
Changelog:
version 2.92rel2
2.92 p...
Fixes CVE-2026-4890
Fixes CVE-2026-4891
Fixes CVE-2026-4892
Fixes CVE-2026-4893
Fixes CVE-2026-5172
https://kb.cert.org/vuls/id/471747
Changelog:
version 2.92rel2
2.92 p...
π¨ CVE-2026-5172
A buffer overflow in dnsmasqβs extract_addresses() function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extract_name() to advance the pointer past the recordβs end.
π@cveNotify
A buffer overflow in dnsmasqβs extract_addresses() function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extract_name() to advance the pointer past the recordβs end.
π@cveNotify
GitHub
dnsmasq: 2.92 -> 2.92rel2 by LeSuisse Β· Pull Request #519082 Β· NixOS/nixpkgs
Fixes CVE-2026-2291
Fixes CVE-2026-4890
Fixes CVE-2026-4891
Fixes CVE-2026-4892
Fixes CVE-2026-4893
Fixes CVE-2026-5172
https://kb.cert.org/vuls/id/471747
Changelog:
version 2.92rel2
2.92 p...
Fixes CVE-2026-4890
Fixes CVE-2026-4891
Fixes CVE-2026-4892
Fixes CVE-2026-4893
Fixes CVE-2026-5172
https://kb.cert.org/vuls/id/471747
Changelog:
version 2.92rel2
2.92 p...