LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-1999-0009 CVE STATUS: Patched CVE SUMMARY: Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0009 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-1999-0010 CVE STATUS: Patched CVE SUMMARY: Denial of Service vulnerability in BIND 8 Releases via maliciously formatted DNS messages. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0010 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-1999-0011 CVE STATUS: Patched CVE SUMMARY: Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 5.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0011 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-1999-0024 CVE STATUS: Patched CVE SUMMARY: DNS cache poisoning via BIND, by predictable query IDs. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0024 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-1999-0184 CVE STATUS: Patched CVE SUMMARY: When compiled with the -DALLOW_UPDATES option, bind allows dynamic updates to the DNS server, allowing for malicious modification of DNS records. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0184 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-1999-0833 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in BIND 8.2 via NXT records. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0833 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-1999-0837 CVE STATUS: Patched CVE SUMMARY: Denial of service in BIND by improperly closing TCP sessions via so_linger. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0837 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-1999-0848 CVE STATUS: Patched CVE SUMMARY: Denial of service in BIND named via consuming more than "fdmax" file descriptors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0848 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-1999-0849 CVE STATUS: Patched CVE SUMMARY: Denial of service in BIND named via maxdname. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0849 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-1999-1499 CVE STATUS: Patched CVE SUMMARY: named in ISC BIND 4.9 and 8.1 allows local users to destroy files via a symlink attack on (1) named_dump.db when root kills the process with a SIGINT, or (2) named.stats when SIGIOT is used. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1499 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2000-0335 CVE STATUS: Patched CVE SUMMARY: The resolver in glibc 2.1.3 uses predictable IDs, which allows a local attacker to spoof DNS query results. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0335 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2000-0887 CVE STATUS: Patched CVE SUMMARY: named in BIND 8.2 through 8.2.2-P6 allows remote attackers to cause a denial of service by making a compressed zone transfer (ZXFR) request and performing a name service query on an authoritative record that is not cached, aka the "zxfr bug." CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0887 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2000-0888 CVE STATUS: Patched CVE SUMMARY: named in BIND 8.2 through 8.2.2-P6 allows remote attackers to cause a denial of service by sending an SRV record to the server, aka the "srv bug." CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0888 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2000-1029 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in host command allows a remote attacker to execute arbitrary commands via a long response to an AXFR query. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-1029 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2001-0010 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in transaction signature (TSIG) handling code in BIND 8 allows remote attackers to gain root privileges. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0010 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2001-0011 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in nslookupComplain function in BIND 4 allows remote attackers to gain root privileges. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0011 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2001-0012 CVE STATUS: Patched CVE SUMMARY: BIND 4 and BIND 8 allow remote attackers to access sensitive information such as environment variables. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0012 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2001-0013 CVE STATUS: Patched CVE SUMMARY: Format string vulnerability in nslookupComplain function in BIND 4 allows remote attackers to gain root privileges. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0013 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2001-0497 CVE STATUS: Patched CVE SUMMARY: dnskeygen in BIND 8.2.4 and earlier, and dnssec-keygen in BIND 9.1.2 and earlier, set insecure permissions for a HMAC-MD5 shared secret key file used for DNS Transactional Signatures (TSIG), which allows attackers to obtain the keys and perform dynamic DNS updates. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0497 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2002-0029 CVE STATUS: Patched CVE SUMMARY: Buffer overflows in the DNS stub resolver library in ISC BIND 4.9.2 through 4.9.10, and other derived libraries such as BSD libc and GNU glibc, allow remote attackers to execute arbitrary code via DNS server responses that trigger the overflow in the (1) getnetbyname, or (2) getnetbyaddr functions, aka "LIBRESOLV: buffer overrun" and a different vulnerability than CVE-2002-0684. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0029 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2002-0400 CVE STATUS: Patched CVE SUMMARY: ISC BIND 9 before 9.2.1 allows remote attackers to cause a denial of service (shutdown) via a malformed DNS packet that triggers an error condition that is not properly handled when the rdataset parameter to the dns_message_findtype() function in message.c is not NULL, aka DoS_findtype. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0400 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2002-0651 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the DNS resolver code used in libc, glibc, and libbind, as derived from ISC BIND, allows remote malicious DNS servers to cause a denial of service and possibly execute arbitrary code via the stub resolvers. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0651 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2002-0684 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0684 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2002-1219 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in named in BIND 4 versions 4.9.10 and earlier, and 8 versions 8.3.3 and earlier, allows remote attackers to execute arbitrary code via a certain DNS server response containing SIG resource records (RR). CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1219 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2002-1220 CVE STATUS: Patched CVE SUMMARY: BIND 8.3.x through 8.3.3 allows remote attackers to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1220 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2002-1221 CVE STATUS: Patched CVE SUMMARY: BIND 8.x through 8.3.3 allows remote attackers to cause a denial of service (crash) via SIG RR elements with invalid expiry times, which are removed from the internal BIND database and later cause a null dereference. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1221 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2002-2211 CVE STATUS: Patched CVE SUMMARY: BIND 4 and BIND 8, when resolving recursive DNS queries for arbitrary hosts, allows remote attackers to conduct DNS cache poisoning via a birthday attack that uses a large number of open queries for the same resource record (RR) combined with spoofed responses, which increases the possibility of successfully spoofing a response in a way that is more efficient than brute force methods. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-2211 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2002-2212 CVE STATUS: Patched CVE SUMMARY: The DNS resolver in unspecified versions of Fujitsu UXP/V, when resolving recursive DNS queries for arbitrary hosts, allows remote attackers to conduct DNS cache poisoning via a birthday attack that uses a large number of open queries for the same resource record (RR) combined with spoofed responses, which increases the possibility of successfully spoofing a response in a way that is more efficient than brute force methods. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-2212 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2002-2213 CVE STATUS: Patched CVE SUMMARY: The DNS resolver in unspecified versions of Infoblox DNS One, when resolving recursive DNS queries for arbitrary hosts, allows remote attackers to conduct DNS cache poisoning via a birthday attack that uses a large number of open queries for the same resource record (RR) combined with spoofed responses, which increases the possibility of successfully spoofing a response in a way that is more efficient than brute force methods. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-2213 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2003-0914 CVE STATUS: Patched CVE SUMMARY: ISC BIND 8.3.x before 8.3.7, and 8.4.x before 8.4.3, allows remote attackers to poison the cache via a malicious name server that returns negative responses with a large TTL (time-to-live) value. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0914 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2005-0033 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the code for recursion and glue fetching in BIND 8.4.4 and 8.4.5 allows remote attackers to cause a denial of service (crash) via queries that trigger the overflow in the q_usedns array that tracks nameservers and addresses. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0033 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2005-0034 CVE STATUS: Patched CVE SUMMARY: An "incorrect assumption" in the authvalidated validator function in BIND 9.3.0, when DNSSEC is enabled, allows remote attackers to cause a denial of service (named server exit) via crafted DNS packets that cause an internal consistency test (self-check) to fail. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0034 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2006-0527 CVE STATUS: Patched CVE SUMMARY: BIND 4 (BIND4) and BIND 8 (BIND8), if used as a target forwarder, allows remote attackers to gain privileged access via a "Kashpureff-style DNS cache corruption" attack. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0527 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2006-0987 CVE STATUS: Patched CVE SUMMARY: The default configuration of ISC BIND before 9.4.1-P1, when configured as a caching name server, allows recursive queries and provides additional delegation information to arbitrary IP addresses, which allows remote attackers to cause a denial of service (traffic amplification) via DNS queries with spoofed source IP addresses. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0987 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2006-2073 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in ISC BIND allows remote attackers to cause a denial of service via a crafted DNS message with a "broken" TSIG, as demonstrated by the OUSPG PROTOS DNS test suite. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2073 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2006-4095 CVE STATUS: Patched CVE SUMMARY: BIND before 9.2.6-P1 and 9.3.x before 9.3.2-P1 allows remote attackers to cause a denial of service (crash) via certain SIG queries, which cause an assertion failure when multiple RRsets are returned. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4095 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2006-4096 CVE STATUS: Patched CVE SUMMARY: BIND before 9.2.6-P1 and 9.3.x before 9.3.2-P1 allows remote attackers to cause a denial of service (crash) via a flood of recursive queries, which cause an INSIST failure when the response is received after the recursion queue is empty. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4096 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2007-0493 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in ISC BIND 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (named daemon crash) via unspecified vectors that cause named to "dereference a freed fetch context." CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0493 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2007-0494 CVE STATUS: Patched CVE SUMMARY: ISC BIND 9.0.x, 9.1.x, 9.2.0 up to 9.2.7, 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (exit) via a type * (ANY) DNS query response that contains multiple RRsets, which triggers an assertion error, aka the "DNSSEC Validation" vulnerability. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0494 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2007-2241 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in query.c in ISC BIND 9.4.0, and 9.5.0a1 through 9.5.0a3, when recursion is enabled, allows remote attackers to cause a denial of service (daemon exit) via a sequence of queries processed by the query_addsoa function. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2241 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2007-2925 CVE STATUS: Patched CVE SUMMARY: The default access control lists (ACL) in ISC BIND 9.4.0, 9.4.1, and 9.5.0a1 through 9.5.0a5 do not set the allow-recursion and allow-query-cache ACLs, which allows remote attackers to make recursive queries and query the cache. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2925 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2007-2926 CVE STATUS: Patched CVE SUMMARY: ISC BIND 9 through 9.5.0a5 uses a weak random number generator during generation of DNS query ids when answering resolver questions or sending NOTIFY messages to slave name servers, which makes it easier for remote attackers to guess the next query id and perform DNS cache poisoning. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2926 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2007-2930 CVE STATUS: Patched CVE SUMMARY: The (1) NSID_SHUFFLE_ONLY and (2) NSID_USE_POOL PRNG algorithms in ISC BIND 8 before 8.4.7-P1 generate predictable DNS query identifiers when sending outgoing queries such as NOTIFY messages when answering questions as a resolver, which allows remote attackers to poison DNS caches via unknown vectors. NOTE: this issue is different from CVE-2007-2926. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2930 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2008-0122 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the inet_network function in libbind in ISC BIND 9.4.2 and earlier, as used in libc in FreeBSD 6.2 through 7.0-PRERELEASE, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0122 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2008-1447 CVE STATUS: Patched CVE SUMMARY: The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug." CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1447 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2008-4163 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in ISC BIND 9.3.5-P2-W1, 9.4.2-P2-W1, and 9.5.0-P2-W1 on Windows allows remote attackers to cause a denial of service (UDP client handler termination) via unknown vectors. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4163 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2009-0025 CVE STATUS: Patched CVE SUMMARY: BIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0025 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2009-0265 CVE STATUS: Patched CVE SUMMARY: Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077 and CVE-2009-0025. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0265 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2009-0696 CVE STATUS: Patched CVE SUMMARY: The dns_db_findrdataset function in db.c in named in ISC BIND 9.4 before 9.4.3-P3, 9.5 before 9.5.1-P3, and 9.6 before 9.6.1-P1, when configured as a master server, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an ANY record in the prerequisite section of a crafted dynamic update message. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0696 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2009-4022 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4022 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2010-0097 CVE STATUS: Patched CVE SUMMARY: ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta does not properly validate DNSSEC (1) NSEC and (2) NSEC3 records, which allows remote attackers to add the Authenticated Data (AD) flag to a forged NXDOMAIN response for an existing domain. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0097 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2010-0213 CVE STATUS: Patched CVE SUMMARY: BIND 9.7.1 and 9.7.1-P1, when a recursive validating server has a trust anchor that is configured statically or via DNSSEC Lookaside Validation (DLV), allows remote attackers to cause a denial of service (infinite loop) via a query for an RRSIG record whose answer is not in the cache, which causes BIND to repeatedly send RRSIG queries to the authoritative servers. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0213 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2010-0218 CVE STATUS: Patched CVE SUMMARY: ISC BIND 9.7.2 through 9.7.2-P1 uses an incorrect ACL to restrict the ability of Recursion Desired (RD) queries to access the cache, which allows remote attackers to obtain potentially sensitive information via a DNS query. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0218 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2010-0290 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains (1) CNAME or (2) DNAME records, which do not have the intended validation before caching, aka Bug 20737. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-4022. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0290 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2010-0382 CVE STATUS: Patched CVE SUMMARY: ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta handles out-of-bailiwick data accompanying a secure response without re-fetching from the original source, which allows remote attackers to have an unspecified impact via a crafted response, aka Bug 20819. NOTE: this vulnerability exists because of a regression during the fix for CVE-2009-4022. CVSS v2 BASE SCORE: 7.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0382 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2010-3613 CVE STATUS: Patched CVE SUMMARY: named in ISC BIND 9.6.2 before 9.6.2-P3, 9.6-ESV before 9.6-ESV-R3, and 9.7.x before 9.7.2-P3 does not properly handle the combination of signed negative responses and corresponding RRSIG records in the cache, which allows remote attackers to cause a denial of service (daemon crash) via a query for cached data. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3613 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2010-3614 CVE STATUS: Patched CVE SUMMARY: named in ISC BIND 9.x before 9.6.2-P3, 9.7.x before 9.7.2-P3, 9.4-ESV before 9.4-ESV-R4, and 9.6-ESV before 9.6-ESV-R3 does not properly determine the security status of an NS RRset during a DNSKEY algorithm rollover, which might allow remote attackers to cause a denial of service (DNSSEC validation error) by triggering a rollover. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3614 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2010-3615 CVE STATUS: Patched CVE SUMMARY: named in ISC BIND 9.7.2-P2 does not check all intended locations for allow-query ACLs, which might allow remote attackers to make successful requests for private DNS records via the standard DNS query mechanism. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3615 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2010-3762 CVE STATUS: Patched CVE SUMMARY: ISC BIND before 9.7.2-P2, when DNSSEC validation is enabled, does not properly handle certain bad signatures if multiple trust anchors exist for a single zone, which allows remote attackers to cause a denial of service (daemon crash) via a DNS query. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3762 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2011-0414 CVE STATUS: Patched CVE SUMMARY: ISC BIND 9.7.1 through 9.7.2-P3, when configured as an authoritative server, allows remote attackers to cause a denial of service (deadlock and daemon hang) by sending a query at the time of (1) an IXFR transfer or (2) a DDNS update. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0414 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2011-1907 CVE STATUS: Patched CVE SUMMARY: ISC BIND 9.8.x before 9.8.0-P1, when Response Policy Zones (RPZ) RRset replacement is enabled, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an RRSIG query. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1907 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2011-1910 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in named in ISC BIND 9.x before 9.7.3-P1, 9.8.x before 9.8.0-P2, 9.4-ESV before 9.4-ESV-R4-P1, and 9.6-ESV before 9.6-ESV-R4-P1 allows remote DNS servers to cause a denial of service (assertion failure and daemon exit) via a negative response containing large RRSIG RRsets. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1910 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2011-2464 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in ISC BIND 9 9.6.x before 9.6-ESV-R4-P3, 9.7.x before 9.7.3-P3, and 9.8.x before 9.8.0-P4 allows remote attackers to cause a denial of service (named daemon crash) via a crafted UPDATE request. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2464 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2011-2465 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in ISC BIND 9 9.8.0, 9.8.0-P1, 9.8.0-P2, and 9.8.1b1, when recursion is enabled and the Response Policy Zone (RPZ) contains DNAME or certain CNAME records, allows remote attackers to cause a denial of service (named daemon crash) via an unspecified query. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2465 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2011-4313 CVE STATUS: Patched CVE SUMMARY: query.c in ISC BIND 9.0.x through 9.6.x, 9.4-ESV through 9.4-ESV-R5, 9.6-ESV through 9.6-ESV-R5, 9.7.0 through 9.7.4, 9.8.0 through 9.8.1, and 9.9.0a1 through 9.9.0b1 allows remote attackers to cause a denial of service (assertion failure and named exit) via unknown vectors related to recursive DNS queries, error logging, and the caching of an invalid record by the resolver. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4313 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2012-1033 CVE STATUS: Patched CVE SUMMARY: The resolver in ISC BIND 9 through 9.8.1-P1 overwrites cached server names and TTL values in NS records during the processing of a response to an A record query, which allows remote attackers to trigger continued resolvability of revoked domain names via a "ghost domain names" attack. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1033 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2012-1667 CVE STATUS: Patched CVE SUMMARY: ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9.1-P1, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P1 does not properly handle resource records with a zero-length RDATA section, which allows remote DNS servers to cause a denial of service (daemon crash or data corruption) or obtain sensitive information from process memory via a crafted record. CVSS v2 BASE SCORE: 8.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1667 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2012-3817 CVE STATUS: Patched CVE SUMMARY: ISC BIND 9.4.x, 9.5.x, 9.6.x, and 9.7.x before 9.7.6-P2; 9.8.x before 9.8.3-P2; 9.9.x before 9.9.1-P2; and 9.6-ESV before 9.6-ESV-R7-P2, when DNSSEC validation is enabled, does not properly initialize the failing-query cache, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) by sending many queries. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3817 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2012-3868 CVE STATUS: Patched CVE SUMMARY: Race condition in the ns_client structure management in ISC BIND 9.9.x before 9.9.1-P2 allows remote attackers to cause a denial of service (memory consumption or process exit) via a large volume of TCP queries. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3868 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2012-4244 CVE STATUS: Patched CVE SUMMARY: ISC BIND 9.x before 9.7.6-P3, 9.8.x before 9.8.3-P3, 9.9.x before 9.9.1-P3, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P3 allows remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query for a long resource record. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4244 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2012-5166 CVE STATUS: Patched CVE SUMMARY: ISC BIND 9.x before 9.7.6-P4, 9.8.x before 9.8.3-P4, 9.9.x before 9.9.1-P4, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P4 allows remote attackers to cause a denial of service (named daemon hang) via unspecified combinations of resource records. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5166 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2012-5688 CVE STATUS: Patched CVE SUMMARY: ISC BIND 9.8.x before 9.8.4-P1 and 9.9.x before 9.9.2-P1, when DNS64 is enabled, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5688 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2012-5689 CVE STATUS: Patched CVE SUMMARY: ISC BIND 9.8.x through 9.8.4-P1 and 9.9.x through 9.9.2-P1, in certain configurations involving DNS64 with a Response Policy Zone that lacks an AAAA rewrite rule, allows remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query for an AAAA record. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5689 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2013-2266 CVE STATUS: Patched CVE SUMMARY: libdns in ISC BIND 9.7.x and 9.8.x before 9.8.4-P2, 9.8.5 before 9.8.5b2, 9.9.x before 9.9.2-P2, and 9.9.3 before 9.9.3b2 on UNIX platforms allows remote attackers to cause a denial of service (memory consumption) via a crafted regular expression, as demonstrated by a memory-exhaustion attack against a machine running a named process. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2266 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2013-3919 CVE STATUS: Patched CVE SUMMARY: resolver.c in ISC BIND 9.8.5 before 9.8.5-P1, 9.9.3 before 9.9.3-P1, and 9.6-ESV-R9 before 9.6-ESV-R9-P1, when a recursive resolver is configured, allows remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query for a record in a malformed zone. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3919 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2013-4854 CVE STATUS: Patched CVE SUMMARY: The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and 9.9.4b1, and DNSco BIND 9.9.3-S1 before 9.9.3-S1-P1 and 9.9.4-S1b1, allows remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query with a malformed RDATA section that is not properly handled during construction of a log message, as exploited in the wild in July 2013. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4854 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2013-5661 CVE STATUS: Patched CVE SUMMARY: Cache Poisoning issue exists in DNS Response Rate Limiting. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-5661 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2013-6230 CVE STATUS: Patched CVE SUMMARY: The Winsock WSAIoctl API in Microsoft Windows Server 2008, as used in ISC BIND 9.6-ESV before 9.6-ESV-R10-P1, 9.8 before 9.8.6-P1, 9.9 before 9.9.4-P1, 9.9.3-S1, 9.9.4-S1, and other products, does not properly support the SIO_GET_INTERFACE_LIST command for netmask 255.255.255.255, which allows remote attackers to bypass intended IP address restrictions by leveraging misinterpretation of this netmask as a 0.0.0.0 netmask. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6230 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2014-0591 CVE STATUS: Patched CVE SUMMARY: The query_findclosestnsec3 function in query.c in named in ISC BIND 9.6, 9.7, and 9.8 before 9.8.6-P2 and 9.9 before 9.9.4-P2, and 9.6-ESV before 9.6-ESV-R10-P2, allows remote attackers to cause a denial of service (INSIST assertion failure and daemon exit) via a crafted DNS query to an authoritative nameserver that uses the NSEC3 signing feature. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0591 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2014-3214 CVE STATUS: Patched CVE SUMMARY: The prefetch implementation in named in ISC BIND 9.10.0, when a recursive nameserver is enabled, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via a DNS query that triggers a response with unspecified attributes. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3214 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2014-3859 CVE STATUS: Patched CVE SUMMARY: libdns in ISC BIND 9.10.0 before P2 does not properly handle EDNS options, which allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via a crafted packet, as demonstrated by an attack against named, dig, or delv. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3859 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2014-8500 CVE STATUS: Patched CVE SUMMARY: ISC BIND 9.0.x through 9.8.x, 9.9.0 through 9.9.6, and 9.10.0 through 9.10.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory consumption and named crash) via a large or infinite number of referrals. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8500 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2014-8680 CVE STATUS: Patched CVE SUMMARY: The GeoIP functionality in ISC BIND 9.10.0 through 9.10.1 allows remote attackers to cause a denial of service (assertion failure and named exit) via vectors related to (1) the lack of GeoIP databases for both IPv4 and IPv6, or (2) IPv6 support with certain options. CVSS v2 BASE SCORE: 5.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8680 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2015-1349 CVE STATUS: Patched CVE SUMMARY: named in ISC BIND 9.7.0 through 9.9.6 before 9.9.6-P2 and 9.10.x before 9.10.1-P2, when DNSSEC validation and the managed-keys feature are enabled, allows remote attackers to cause a denial of service (assertion failure and daemon exit, or daemon crash) by triggering an incorrect trust-anchor management scenario in which no key is ready for use. CVSS v2 BASE SCORE: 5.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1349 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2015-4620 CVE STATUS: Patched CVE SUMMARY: name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4620 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2015-5477 CVE STATUS: Patched CVE SUMMARY: named in ISC BIND 9.x before 9.9.7-P2 and 9.10.x before 9.10.2-P3 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via TKEY queries. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5477 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2015-5722 CVE STATUS: Patched CVE SUMMARY: buffer.c in named in ISC BIND 9.x before 9.9.7-P3 and 9.10.x before 9.10.2-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) by creating a zone containing a malformed DNSSEC key and issuing a query for a name in that zone. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5722 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2015-5986 CVE STATUS: Patched CVE SUMMARY: openpgpkey_61.c in named in ISC BIND 9.9.7 before 9.9.7-P3 and 9.10.x before 9.10.2-P4 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via a crafted DNS response. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5986 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2015-8000 CVE STATUS: Patched CVE SUMMARY: db.c in named in ISC BIND 9.x before 9.9.8-P2 and 9.10.x before 9.10.3-P2 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via a malformed class attribute. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8000 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2015-8461 CVE STATUS: Patched CVE SUMMARY: Race condition in resolver.c in named in ISC BIND 9.9.8 before 9.9.8-P2 and 9.10.3 before 9.10.3-P2 allows remote attackers to cause a denial of service (INSIST assertion failure and daemon exit) via unspecified vectors. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8461 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2015-8704 CVE STATUS: Patched CVE SUMMARY: apl_42.c in ISC BIND 9.x before 9.9.8-P3, 9.9.x, and 9.10.x before 9.10.3-P3 allows remote authenticated users to cause a denial of service (INSIST assertion failure and daemon exit) via a malformed Address Prefix List (APL) record. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8704 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2015-8705 CVE STATUS: Patched CVE SUMMARY: buffer.c in named in ISC BIND 9.10.x before 9.10.3-P3, when debug logging is enabled, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit, or daemon crash) or possibly have unspecified other impact via (1) OPT data or (2) an ECS option. CVSS v2 BASE SCORE: 6.6 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8705 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2016-1284 CVE STATUS: Patched CVE SUMMARY: rdataset.c in ISC BIND 9 Supported Preview Edition 9.9.8-S before 9.9.8-S5, when nxdomain-redirect is enabled, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via crafted flag values in a query. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1284 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2016-1285 CVE STATUS: Patched CVE SUMMARY: named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 does not properly handle DNAME records when parsing fetch reply messages, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed packet to the rndc (aka control channel) interface, related to alist.c and sexpr.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1285 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2016-1286 CVE STATUS: Patched CVE SUMMARY: named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted signature record for a DNAME record, related to db.c and resolver.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1286 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2016-2088 CVE STATUS: Patched CVE SUMMARY: resolver.c in named in ISC BIND 9.10.x before 9.10.3-P4, when DNS cookies are enabled, allows remote attackers to cause a denial of service (INSIST assertion failure and daemon exit) via a malformed packet with more than one cookie option. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2088 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2016-2775 CVE STATUS: Patched CVE SUMMARY: ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the named lwres option is enabled, allows remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2775 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2016-2776 CVE STATUS: Patched CVE SUMMARY: buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x before 9.10.4-P3, and 9.11.x before 9.11.0rc3 does not properly construct responses, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2776 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2016-2848 CVE STATUS: Patched CVE SUMMARY: ISC BIND 9.1.0 through 9.8.4-P2 and 9.9.0 through 9.9.2-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via malformed options data in an OPT resource record. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2848 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2016-6170 CVE STATUS: Patched CVE SUMMARY: ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and 9.11.x through 9.11.0b1 allows primary DNS servers to cause a denial of service (secondary DNS server crash) via a large AXFR response, and possibly allows IXFR servers to cause a denial of service (IXFR client crash) via a large IXFR response and allows remote authenticated users to cause a denial of service (primary DNS server crash) via a large UPDATE message. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6170 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2016-8864 CVE STATUS: Patched CVE SUMMARY: named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8864 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2016-9131 CVE STATUS: Patched CVE SUMMARY: named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9.11.x before 9.11.0-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed response to an RTYPE ANY query. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9131 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2016-9147 CVE STATUS: Patched CVE SUMMARY: named in ISC BIND 9.9.9-P4, 9.9.9-S6, 9.10.4-P4, and 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a response containing an inconsistency among the DNSSEC-related RRsets. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9147 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2016-9444 CVE STATUS: Patched CVE SUMMARY: named in ISC BIND 9.x before 9.9.9-P5, 9.10.x before 9.10.4-P5, and 9.11.x before 9.11.0-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted DS resource record in an answer. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9444 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2016-9778 CVE STATUS: Patched CVE SUMMARY: An error in handling certain queries can cause an assertion failure when a server is using the nxdomain-redirect feature to cover a zone for which it is also providing authoritative service. A vulnerable server could be intentionally stopped by an attacker if it was using a configuration that met the criteria for the vulnerability and if the attacker could cause it to accept a query that possessed the required attributes. Please note: This vulnerability affects the "nxdomain-redirect" feature, which is one of two methods of handling NXDOMAIN redirection, and is only available in certain versions of BIND. Redirection using zones of type "redirect" is not affected by this vulnerability. Affects BIND 9.9.8-S1 -> 9.9.8-S3, 9.9.9-S1 -> 9.9.9-S6, 9.11.0-9.11.0-P1. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9778 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2017-3135 CVE STATUS: Patched CVE SUMMARY: Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Affects BIND 9.8.8, 9.9.3-S1 -> 9.9.9-S7, 9.9.3 -> 9.9.9-P5, 9.9.10b1, 9.10.0 -> 9.10.4-P5, 9.10.5b1, 9.11.0 -> 9.11.0-P2, 9.11.1b1. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3135 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2017-3136 CVE STATUS: Patched CVE SUMMARY: A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met. Affects BIND 9.8.0 -> 9.8.8-P1, 9.9.0 -> 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.0 -> 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0 -> 9.11.0-P3, 9.11.1b1->9.11.1rc1, 9.9.3-S1 -> 9.9.9-S8. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3136 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2017-3137 CVE STATUS: Patched CVE SUMMARY: Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order. Affects BIND 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0-P3, 9.11.1b1->9.11.1rc1, and 9.9.9-S8. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3137 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2017-3138 CVE STATUS: Patched CVE SUMMARY: named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9. CVSS v2 BASE SCORE: 3.5 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3138 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2017-3140 CVE STATUS: Patched CVE SUMMARY: If named is configured to use Response Policy Zones (RPZ) an error processing some rule types can lead to a condition where BIND will endlessly loop while handling a query. Affects BIND 9.9.10, 9.10.5, 9.11.0->9.11.1, 9.9.10-S1, 9.10.5-S1. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3140 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2017-3141 CVE STATUS: Patched CVE SUMMARY: The BIND installer on Windows uses an unquoted service path which can enable a local user to achieve privilege escalation if the host file system permissions allow this. Affects BIND 9.2.6-P2->9.2.9, 9.3.2-P1->9.3.6, 9.4.0->9.8.8, 9.9.0->9.9.10, 9.10.0->9.10.5, 9.11.0->9.11.1, 9.9.3-S1->9.9.10-S1, 9.10.5-S1. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3141 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2017-3142 CVE STATUS: Patched CVE SUMMARY: An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into: providing an AXFR of a zone to an unauthorized recipient or accepting bogus NOTIFY packets. Affects BIND 9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1, 9.11.0->9.11.1-P1, 9.9.3-S1->9.9.10-S2, 9.10.5-S1->9.10.5-S2. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3142 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2017-3143 CVE STATUS: Patched CVE SUMMARY: An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update. Affects BIND 9.4.0->9.8.8, 9.9.0->9.9.10-P1, 9.10.0->9.10.5-P1, 9.11.0->9.11.1-P1, 9.9.3-S1->9.9.10-S2, 9.10.5-S1->9.10.5-S2. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3143 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2017-3145 CVE STATUS: Patched CVE SUMMARY: BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named. Affects BIND 9.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.6, 9.11.0 to 9.11.2, 9.9.3-S1 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, 9.12.0a1 to 9.12.0rc1. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3145 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2018-5734 CVE STATUS: Patched CVE SUMMARY: While handling a particular type of malformed packet BIND erroneously selects a SERVFAIL rcode instead of a FORMERR rcode. If the receiving view has the SERVFAIL cache feature enabled, this can trigger an assertion failure in badcache.c when the request doesn't contain all of the expected information. Affects BIND 9.10.5-S1 to 9.10.5-S4, 9.10.6-S1, 9.10.6-S2. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5734 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2018-5736 CVE STATUS: Patched CVE SUMMARY: An error in zone database reference counting can lead to an assertion failure if a server which is running an affected version of BIND attempts several transfers of a slave zone in quick succession. This defect could be deliberately exercised by an attacker who is permitted to cause a vulnerable server to initiate zone transfers (for example: by sending valid NOTIFY messages), causing the named process to exit after failing the assertion test. Affects BIND 9.12.0 and 9.12.1. CVSS v2 BASE SCORE: 3.5 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5736 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2018-5737 CVE STATUS: Patched CVE SUMMARY: A problem with the implementation of the new serve-stale feature in BIND 9.12 can lead to an assertion failure in rbtdb.c, even when stale-answer-enable is off. Additionally, problematic interaction between the serve-stale feature and NSEC aggressive negative caching can in some cases cause undesirable behavior from named, such as a recursion loop or excessive logging. Deliberate exploitation of this condition could cause operational problems depending on the particular manifestation -- either degradation or denial of service. Affects BIND 9.12.0 and 9.12.1. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5737 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2018-5738 CVE STATUS: Patched CVE SUMMARY: Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the "allow-recursion" setting, it SHOULD default to one of the following: none, if "recursion no;" is set in named.conf; a value inherited from the "allow-query-cache" or "allow-query" settings IF "recursion yes;" (the default for that setting) AND match lists are explicitly set for "allow-query-cache" or "allow-query" (see the BIND9 Administrative Reference Manual section 6.2 for more details); or the intended default of "allow-recursion {localhost; localnets;};" if "recursion yes;" is in effect and no values are explicitly set for "allow-query-cache" or "allow-query". However, because of the regression introduced by change #4777, it is possible when "recursion yes;" is in effect and no match list values are provided for "allow-query-cache" or "allow-query" for the setting of "allow-recursion" to inherit a setting of all hosts from the "allow-query" setting default, improperly permitting recursion to all clients. Affects BIND 9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5738 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2018-5740 CVE STATUS: Patched CVE SUMMARY: "deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c. Affects BIND 9.7.0->9.8.8, 9.9.0->9.9.13, 9.10.0->9.10.8, 9.11.0->9.11.4, 9.12.0->9.12.2, 9.13.0->9.13.2. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5740 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2018-5741 CVE STATUS: Patched CVE SUMMARY: To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately, some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change #3112, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. This affects BIND versions prior to BIND 9.11.5 and BIND 9.12.3. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5741 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2018-5742 CVE STATUS: Patched CVE SUMMARY: While backporting a feature for a newer branch of BIND9, RedHat introduced a path leading to an assertion failure in buffer.c:420. Affects RedHat versions bind-9.9.4-65.el7 -> bind-9.9.4-72.el7. No ISC releases are affected. Other packages from other distributions who made the same error may also be affected. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5742 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2018-5743 CVE STATUS: Patched CVE SUMMARY: By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contained an error which could be exploited to grow the number of simultaneous connections beyond this limit. Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6, 9.12.0 -> 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 -> 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -> 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5743 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2018-5744 CVE STATUS: Patched CVE SUMMARY: A failure to free memory can occur when processing messages having a specific combination of EDNS options. Versions affected are: BIND 9.10.7 -> 9.10.8-P1, 9.11.3 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions 9.10.7-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5744 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2018-5745 CVE STATUS: Patched CVE SUMMARY: "managed-keys" is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if, during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm. Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5745. CVSS v2 BASE SCORE: 3.5 CVSS v3 BASE SCORE: 4.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5745 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2019-6465 CVE STATUS: Patched CVE SUMMARY: Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6465 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2019-6467 CVE STATUS: Patched CVE SUMMARY: A programming error in the nxdomain-redirect feature can cause an assertion failure in query.c if the alternate namespace used by nxdomain-redirect is a descendant of a zone that is served locally. The most likely scenario where this might occur is if the server, in addition to performing NXDOMAIN redirection for recursive clients, is also serving a local copy of the root zone or using mirroring to provide the root zone, although other configurations are also possible. Versions affected: BIND 9.12.0-> 9.12.4, 9.14.0. Also affects all releases in the 9.13 development branch. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6467 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2019-6468 CVE STATUS: Patched CVE SUMMARY: In BIND Supported Preview Edition, an error in the nxdomain-redirect feature can occur in versions which support EDNS Client Subnet (ECS) features. In those versions which have ECS support, enabling nxdomain-redirect is likely to lead to BIND exiting due to assertion failure. Versions affected: BIND Supported Preview Edition version 9.10.5-S1 -> 9.11.5-S5. ONLY BIND Supported Preview Edition releases are affected. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6468 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2019-6469 CVE STATUS: Patched CVE SUMMARY: An error in the EDNS Client Subnet (ECS) feature for recursive resolvers can cause BIND to exit with an assertion failure when processing a response that has malformed RRSIGs. Versions affected: BIND 9.10.5-S1 -> 9.11.6-S1 of BIND 9 Supported Preview Edition. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6469 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2019-6471 CVE STATUS: Patched CVE SUMMARY: A race condition which may occur when discarding malformed packets can result in BIND exiting due to a REQUIRE assertion failure in dispatch.c. Versions affected: BIND 9.11.0 -> 9.11.7, 9.12.0 -> 9.12.4-P1, 9.14.0 -> 9.14.2. Also all releases of the BIND 9.13 development branch and version 9.15.0 of the BIND 9.15 development branch and BIND Supported Preview Edition versions 9.11.3-S1 -> 9.11.7-S1. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6471 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2019-6475 CVE STATUS: Patched CVE SUMMARY: Mirror zones are a BIND feature allowing recursive servers to pre-cache zone data provided by other servers. A mirror zone is similar to a zone of type secondary, except that its data is subject to DNSSEC validation before being used in answers, as if it had been looked up via traditional recursion, and when mirror zone data cannot be validated, BIND falls back to using traditional recursion instead of the mirror zone. However, an error in the validity checks for the incoming zone data can allow an on-path attacker to replace zone data that was validated with a configured trust anchor with forged data of the attacker's choosing. The mirror zone feature is most often used to serve a local copy of the root zone. If an attacker was able to insert themselves into the network path between a recursive server using a mirror zone and a root name server, this vulnerability could then be used to cause the recursive server to accept a copy of falsified root zone data. This affects BIND versions 9.14.0 up to 9.14.6, and 9.15.0 up to 9.15.4. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6475 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2019-6476 CVE STATUS: Patched CVE SUMMARY: A defect in code added to support QNAME minimization can cause named to exit with an assertion failure if a forwarder returns a referral rather than resolving the query. This affects BIND versions 9.14.0 up to 9.14.6, and 9.15.0 up to 9.15.4. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6476 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2019-6477 CVE STATUS: Patched CVE SUMMARY: With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6477 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2020-8616 CVE STATUS: Patched CVE SUMMARY: A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8616 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2020-8617 CVE STATUS: Patched CVE SUMMARY: Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8617 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2020-8618 CVE STATUS: Patched CVE SUMMARY: An attacker who is permitted to send zone data to a server via zone transfer can exploit this to intentionally trigger the assertion failure with a specially constructed zone, denying service to clients. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 4.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8618 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2020-8619 CVE STATUS: Patched CVE SUMMARY: In ISC BIND9 versions BIND 9.11.14 -> 9.11.19, BIND 9.14.9 -> 9.14.12, BIND 9.16.0 -> 9.16.3, BIND Supported Preview Edition 9.11.14-S1 -> 9.11.19-S1: Unless a nameserver is providing authoritative service for one or more zones and at least one zone contains an empty non-terminal entry containing an asterisk ("*") character, this defect cannot be encountered. A would-be attacker who is allowed to change zone content could theoretically introduce such a record in order to exploit this condition to cause denial of service, though we consider the use of this vector unlikely because any such attack would require a significant privilege level and be easily traceable. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 4.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8619 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2020-8620 CVE STATUS: Patched CVE SUMMARY: In BIND 9.15.6 -> 9.16.5, 9.17.0 -> 9.17.3, An attacker who can establish a TCP connection with the server and send data on that connection can exploit this to trigger the assertion failure, causing the server to exit. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8620 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2020-8621 CVE STATUS: Patched CVE SUMMARY: In BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3, If a server is configured with both QNAME minimization and 'forward first' then an attacker who can send queries to it may be able to trigger the condition that will cause the server to crash. Servers that 'forward only' are not affected. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8621 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2020-8622 CVE STATUS: Patched CVE SUMMARY: In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and message, and spoof a truncated response to trigger an assertion failure, causing the server to exit. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8622 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2020-8623 CVE STATUS: Patched CVE SUMMARY: In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with "--enable-native-pkcs11" * be signing one or more zones with an RSA key * be able to receive queries from a possible attacker CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8623 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2020-8624 CVE STATUS: Patched CVE SUMMARY: In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker who has been granted privileges to change a specific subset of the zone's content could abuse these unintended additional privileges to update other contents of the zone. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8624 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2020-8625 CVE STATUS: Patched CVE SUMMARY: BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process. However, remote code execution, while unproven, is theoretically possible. Affects: BIND 9.5.0 -> 9.11.27, 9.12.0 -> 9.16.11, and versions BIND 9.11.3-S1 -> 9.11.27-S1 and 9.16.8-S1 -> 9.16.11-S1 of BIND Supported Preview Edition. Also release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8625 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2021-25214 CVE STATUS: Patched CVE SUMMARY: In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-25214 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2021-25215 CVE STATUS: Patched CVE SUMMARY: In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a query for a record triggering the flaw described above, the named process will terminate due to a failed assertion check. The vulnerability affects all currently maintained BIND 9 branches (9.11, 9.11-S, 9.16, 9.16-S, 9.17) as well as all other versions of BIND 9. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-25215 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2021-25216 CVE STATUS: Patched CVE SUMMARY: In BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built: For named binaries compiled for 64-bit platforms, this flaw can be used to trigger a buffer over-read, leading to a server crash. For named binaries compiled for 32-bit platforms, this flaw can be used to trigger a server crash due to a buffer overflow and possibly also to achieve remote code execution. We have determined that standard SPNEGO implementations are available in the MIT and Heimdal Kerberos libraries, which support a broad range of operating systems, rendering the ISC implementation unnecessary and obsolete. Therefore, to reduce the attack surface for BIND users, we will be removing the ISC SPNEGO implementation in the April releases of BIND 9.11 and 9.16 (it had already been dropped from BIND 9.17). We would not normally remove something from a stable ESV (Extended Support Version) of BIND, but since system libraries can replace the ISC SPNEGO implementation, we have made an exception in this case for reasons of stability and security. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-25216 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2021-25218 CVE STATUS: Patched CVE SUMMARY: In BIND 9.16.19, 9.17.16. Also, version 9.16.19-S1 of BIND Supported Preview Edition When a vulnerable version of named receives a query under the circumstances described above, the named process will terminate due to a failed assertion check. The vulnerability affects only BIND 9 releases 9.16.19, 9.17.16, and release 9.16.19-S1 of the BIND Supported Preview Edition. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-25218 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2021-25219 CVE STATUS: Patched CVE SUMMARY: In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-25219 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2021-25220 CVE STATUS: Patched CVE SUMMARY: BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 -> 9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL. The cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-25220 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2022-0396 CVE STATUS: Patched CVE SUMMARY: BIND 9.16.11 -> 9.16.26, 9.17.0 -> 9.18.0 and versions 9.16.11-S1 -> 9.16.26-S1 of the BIND Supported Preview Edition. Specifically crafted TCP streams can cause connections to BIND to remain in CLOSE_WAIT status for an indefinite period of time, even after the client has terminated the connection. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0396 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2022-0635 CVE STATUS: Patched CVE SUMMARY: Versions affected: BIND 9.18.0 When a vulnerable version of named receives a series of specific queries, the named process will eventually terminate due to a failed assertion check. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0635 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2022-0667 CVE STATUS: Patched CVE SUMMARY: When the vulnerability is triggered the BIND process will exit. BIND 9.18.0 CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0667 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2022-1183 CVE STATUS: Patched CVE SUMMARY: On vulnerable configurations, the named daemon may, in some circumstances, terminate with an assertion failure. Vulnerable configurations are those that include a reference to http within the listen-on statements in their named.conf. TLS is used by both DNS over TLS (DoT) and DNS over HTTPS (DoH), but configurations using DoT alone are unaffected. Affects BIND 9.18.0 -> 9.18.2 and version 9.19.0 of the BIND 9.19 development branch. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1183 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2022-2795 CVE STATUS: Patched CVE SUMMARY: By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2795 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2022-2881 CVE STATUS: Patched CVE SUMMARY: The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2881 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2022-2906 CVE STATUS: Patched CVE SUMMARY: An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2906 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2022-3080 CVE STATUS: Patched CVE SUMMARY: By sending specific queries to the resolver, an attacker can cause named to crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3080 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2022-3094 CVE STATUS: Patched CVE SUMMARY: Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This, in turn, may cause `named` to exit due to a lack of free memory. We are not aware of any cases where this has been exploited. Memory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately upon rejection. The scope of this vulnerability is limited therefore to trusted clients who are permitted to make dynamic zone changes. If a dynamic update is REFUSED, memory will be released again very quickly. Therefore it is only likely to be possible to degrade or stop `named` by sending a flood of unaccepted dynamic updates comparable in magnitude to a query flood intended to achieve the same detrimental outcome. BIND 9.11 and earlier branches are also affected, but through exhaustion of internal resources rather than memory constraints. This may reduce performance but should not be a significant problem for most servers. Therefore we don't intend to address this for BIND versions prior to BIND 9.16. This issue affects BIND 9 versions 9.16.0 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.8-S1 through 9.16.36-S1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3094 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2022-3488 CVE STATUS: Patched CVE SUMMARY: Processing of repeated responses to the same query, where both responses contain ECS pseudo-options, but where the first is broken in some way, can cause BIND to exit with an assertion failure. 'Broken' in this context is anything that would cause the resolver to reject the query response, such as a mismatch between query and answer name. This issue affects BIND 9 versions 9.11.4-S1 through 9.11.37-S1 and 9.16.8-S1 through 9.16.36-S1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3488 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2022-3736 CVE STATUS: Patched CVE SUMMARY: BIND 9 resolver can crash when stale cache and stale answers are enabled, option `stale-answer-client-timeout` is set to a positive integer, and the resolver receives an RRSIG query. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3736 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2022-38177 CVE STATUS: Patched CVE SUMMARY: By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-38177 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2022-38178 CVE STATUS: Patched CVE SUMMARY: By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-38178 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2022-3924 CVE STATUS: Patched CVE SUMMARY: This issue can affect BIND 9 resolvers with `stale-answer-enable yes;` that also make use of the option `stale-answer-client-timeout`, configured with a value greater than zero. If the resolver receives many queries that require recursion, there will be a corresponding increase in the number of clients that are waiting for recursion to complete. If there are sufficient clients already waiting when a new client query is received so that it is necessary to SERVFAIL the longest waiting client (see BIND 9 ARM `recursive-clients` limit and soft quota), then it is possible for a race to occur between providing a stale answer to this older client and sending an early timeout SERVFAIL, which may cause an assertion failure. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3924 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2023-2828 CVE STATUS: Patched CVE SUMMARY: Every `named` instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the `max-cache-size` statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit. It has been discovered that the effectiveness of the cache-cleaning algorithm used in `named` can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.11.0 through 9.16.41, 9.18.0 through 9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2828 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2023-2829 CVE STATUS: Patched CVE SUMMARY: A `named` instance configured to run as a DNSSEC-validating recursive resolver with the Aggressive Use of DNSSEC-Validated Cache (RFC 8198) option (`synth-from-dnssec`) enabled can be remotely terminated using a zone with a malformed NSEC record. This issue affects BIND 9 versions 9.16.8-S1 through 9.16.41-S1 and 9.18.11-S1 through 9.18.15-S1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2829 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2023-2911 CVE STATUS: Patched CVE SUMMARY: If the `recursive-clients` quota is reached on a BIND 9 resolver configured with both `stale-answer-enable yes;` and `stale-answer-client-timeout 0;`, a sequence of serve-stale-related lookups could cause `named` to loop and terminate unexpectedly due to a stack overflow. This issue affects BIND 9 versions 9.16.33 through 9.16.41, 9.18.7 through 9.18.15, 9.16.33-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2911 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2023-3341 CVE STATUS: Patched CVE SUMMARY: The code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3341 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2023-4236 CVE STATUS: Patched CVE SUMMARY: A flaw in the networking code handling DNS-over-TLS queries may cause `named` to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load. This issue affects BIND 9 versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4236 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2023-4408 CVE STATUS: Patched CVE SUMMARY: The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issue affects BIND 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4408 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2023-50387 CVE STATUS: Patched CVE SUMMARY: Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-50387 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2023-50868 CVE STATUS: Patched CVE SUMMARY: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-50868 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2023-5517 CVE STATUS: Patched CVE SUMMARY: A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect ;` is configured, and - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5517 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2023-5679 CVE STATUS: Patched CVE SUMMARY: A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5679 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2023-5680 CVE STATUS: Patched CVE SUMMARY: If a resolver cache has a very large number of ECS records stored for the same name, the process of cleaning the cache database node for this name can significantly impair query performance. This issue affects BIND 9 versions 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5680 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2023-6516 CVE STATUS: Patched CVE SUMMARY: To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely manner. This in turn enables the list of queued cleanup events to grow infinitely large over time, allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6516 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2026-1519 CVE STATUS: Unpatched CVE SUMMARY: If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-1519 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2026-3039 CVE STATUS: Unpatched CVE SUMMARY: BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3039 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2026-3104 CVE STATUS: Patched CVE SUMMARY: A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3104 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2026-3119 CVE STATUS: Patched CVE SUMMARY: Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3119 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2026-3591 CVE STATUS: Patched CVE SUMMARY: A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3591 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2026-3592 CVE STATUS: Unpatched CVE SUMMARY: BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3592 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2026-3593 CVE STATUS: Patched CVE SUMMARY: A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3593 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2026-5946 CVE STATUS: Unpatched CVE SUMMARY: Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5946 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2026-5947 CVE STATUS: Patched CVE SUMMARY: Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5947 LAYER: meta PACKAGE NAME: bind PACKAGE VERSION: 9.18.41 CVE: CVE-2026-5950 CVE STATUS: Unpatched CVE SUMMARY: An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5950 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2004-2531 CVE STATUS: Patched CVE SUMMARY: X.509 Certificate Signature Verification in Gnu transport layer security library (GnuTLS) 1.0.16 allows remote attackers to cause a denial of service (CPU consumption) via certificates containing long chains and signed with large RSA keys. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2531 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2005-1431 CVE STATUS: Patched CVE SUMMARY: The "record packet parsing" in GnuTLS 1.2 before 1.2.3 and 1.0 before 1.0.25 allows remote attackers to cause a denial of service, possibly related to padding bytes in gnutils_cipher.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1431 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2006-4790 CVE STATUS: Patched CVE SUMMARY: verify.c in GnuTLS before 1.4.4, when using an RSA key with exponent 3, does not properly handle excess data in the digestAlgorithm.parameters field when generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents GnuTLS from correctly verifying X.509 and other certificates that use PKCS, a variant of CVE-2006-4339. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4790 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2006-7239 CVE STATUS: Patched CVE SUMMARY: The _gnutls_x509_oid2mac_algorithm function in lib/gnutls_algorithms.c in GnuTLS before 1.4.2 allows remote attackers to cause a denial of service (crash) via a crafted X.509 certificate that uses a hash algorithm that is not supported by GnuTLS, which triggers a NULL pointer dereference. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7239 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2008-1948 CVE STATUS: Patched CVE SUMMARY: The _gnutls_server_name_recv_params function in lib/ext_server_name.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 does not properly calculate the number of Server Names in a TLS 1.0 Client Hello message during extension handling, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a zero value for the length of Server Names, which leads to a buffer overflow in session resumption data in the pack_security_parameters function, aka GNUTLS-SA-2008-1-1. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1948 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2008-1949 CVE STATUS: Patched CVE SUMMARY: The _gnutls_recv_client_kx_message function in lib/gnutls_kx.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 continues to process Client Hello messages within a TLS message after one has already been processed, which allows remote attackers to cause a denial of service (NULL dereference and crash) via a TLS message containing multiple Client Hello messages, aka GNUTLS-SA-2008-1-2. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1949 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2008-1950 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in the _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in libgnutls in GnuTLS before 2.2.4 allows remote attackers to cause a denial of service (buffer over-read and crash) via a certain integer value in the Random field in an encrypted Client Hello message within a TLS record with an invalid Record Length, which leads to an invalid cipher padding length, aka GNUTLS-SA-2008-1-3. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1950 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2008-2377 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the _gnutls_handshake_hash_buffers_clear function in lib/gnutls_handshake.c in libgnutls in GnuTLS 2.3.5 through 2.4.0 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via TLS transmission of data that is improperly used when the peer calls gnutls_handshake within a normal session, leading to attempted access to a deallocated libgcrypt handle. CVSS v2 BASE SCORE: 7.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2377 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2008-4989 CVE STATUS: Patched CVE SUMMARY: The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4989 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2009-1415 CVE STATUS: Patched CVE SUMMARY: lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not properly handle invalid DSA signatures, which allows remote attackers to cause a denial of service (application crash) and possibly have unspecified other impact via a malformed DSA key that triggers a (1) free of an uninitialized pointer or (2) double free. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1415 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2009-1416 CVE STATUS: Patched CVE SUMMARY: lib/gnutls_pk.c in libgnutls in GnuTLS 2.5.0 through 2.6.5 generates RSA keys stored in DSA structures, instead of the intended DSA keys, which might allow remote attackers to spoof signatures on certificates or have unspecified other impact by leveraging an invalid DSA key. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1416 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2009-1417 CVE STATUS: Patched CVE SUMMARY: gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is (1) not yet valid or (2) no longer valid, related to lack of time checks in the _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1417 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2009-2409 CVE STATUS: Patched CVE SUMMARY: The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2409 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2009-2730 CVE STATUS: Patched CVE SUMMARY: libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0' character in a domain name in the subject's (1) Common Name (CN) or (2) Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2730 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2009-3555 CVE STATUS: Patched CVE SUMMARY: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3555 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2009-5138 CVE STATUS: Patched CVE SUMMARY: GnuTLS before 2.7.6, when the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag is not enabled, treats version 1 X.509 certificates as intermediate CAs, which allows remote attackers to bypass intended restrictions by leveraging a X.509 V1 certificate from a trusted CA to issue new certificates, a different vulnerability than CVE-2014-1959. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-5138 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2010-0731 CVE STATUS: Patched CVE SUMMARY: The gnutls_x509_crt_get_serial function in the GnuTLS library before 1.2.1, when running on big-endian, 64-bit platforms, calls the asn1_read_value with a pointer to the wrong data type and the wrong length value, which allows remote attackers to bypass the certificate revocation list (CRL) check and cause a stack-based buffer overflow via a crafted X.509 certificate, related to extraction of a serial number. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0731 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2011-4128 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the gnutls_session_get_data function in lib/gnutls_session.c in GnuTLS 2.12.x before 2.12.14 and 3.x before 3.0.7, when used on a client that performs nonstandard session resumption, allows remote TLS servers to cause a denial of service (application crash) via a large SessionTicket. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4128 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2012-0390 CVE STATUS: Patched CVE SUMMARY: The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain error-handling code only if there is a specific relationship between a padding length and the ciphertext size, which makes it easier for remote attackers to recover partial plaintext via a timing side-channel attack, a related issue to CVE-2011-4108. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0390 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2012-1569 CVE STATUS: Patched CVE SUMMARY: The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1569 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2012-1573 CVE STATUS: Patched CVE SUMMARY: gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before 3.0.15 does not properly handle data encrypted with a block cipher, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) via a crafted record, as demonstrated by a crafted GenericBlockCipher structure. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1573 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2012-1663 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in libgnutls in GnuTLS before 3.0.14 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted certificate list. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1663 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2013-1619 CVE STATUS: Patched CVE SUMMARY: The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1619 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2013-2116 CVE STATUS: Patched CVE SUMMARY: The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS 2.12.23 allows remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length. NOTE: this might be due to an incorrect fix for CVE-2013-0169. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2116 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2013-4466 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the dane_query_tlsa function in the DANE library (libdane) in GnuTLS 3.1.x before 3.1.15 and 3.2.x before 3.2.5 allows remote servers to cause a denial of service (memory corruption) via a response with more than four DANE entries. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4466 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2013-4487 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the dane_raw_tlsa in the DANE library (libdane) in GnuTLS 3.1.x before 3.1.16 and 3.2.x before 3.2.6 allows remote servers to cause a denial of service (memory corruption) via a response with more than four DANE entries. NOTE: this issue is due to an incomplete fix for CVE-2013-4466. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4487 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2014-0092 CVE STATUS: Patched CVE SUMMARY: lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0092 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2014-1959 CVE STATUS: Patched CVE SUMMARY: lib/x509/verify.c in GnuTLS before 3.1.21 and 3.2.x before 3.2.11 treats version 1 X.509 certificates as intermediate CAs, which allows remote attackers to bypass intended restrictions by leveraging a X.509 V1 certificate from a trusted CA to issue new certificates. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1959 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2014-3465 CVE STATUS: Patched CVE SUMMARY: The gnutls_x509_dn_oid_name function in lib/x509/common.c in GnuTLS 3.0 before 3.1.20 and 3.2.x before 3.2.10 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted X.509 certificate, related to a missing LDAP description for an OID when printing the DN. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3465 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2014-3466 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before 3.2.15, and 3.3.x before 3.3.4 allows remote servers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a long session id in a ServerHello message. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3466 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2014-3467 CVE STATUS: Patched CVE SUMMARY: Multiple unspecified vulnerabilities in the DER decoder in GNU Libtasn1 before 3.6, as used in GnuTLS, allow remote attackers to cause a denial of service (out-of-bounds read) via crafted ASN.1 data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3467 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2014-3468 CVE STATUS: Patched CVE SUMMARY: The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly report an error when a negative bit length is identified, which allows context-dependent attackers to cause out-of-bounds access via crafted ASN.1 data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3468 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2014-3469 CVE STATUS: Patched CVE SUMMARY: The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU Libtasn1 before 3.6 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via a NULL value in an ivalue argument. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3469 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2014-8155 CVE STATUS: Patched CVE SUMMARY: GnuTLS before 2.9.10 does not verify the activation and expiration dates of CA certificates, which allows man-in-the-middle attackers to spoof servers via a certificate issued by a CA certificate that is (1) not yet valid or (2) no longer valid. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8155 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2014-8564 CVE STATUS: Patched CVE SUMMARY: The _gnutls_ecc_ansi_x963_export function in gnutls_ecc.c in GnuTLS 3.x before 3.1.28, 3.2.x before 3.2.20, and 3.3.x before 3.3.10 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) Elliptic Curve Cryptography (ECC) certificate or (2) certificate signing requests (CSR), related to generating key IDs. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8564 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2015-0282 CVE STATUS: Patched CVE SUMMARY: GnuTLS before 3.1.0 does not verify that the RSA PKCS #1 signature algorithm matches the signature algorithm in the certificate, which allows remote attackers to conduct downgrade attacks via unspecified vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0282 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2015-0294 CVE STATUS: Patched CVE SUMMARY: GnuTLS before 3.3.13 does not validate that the signature algorithms match when importing a certificate. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0294 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2015-3308 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in lib/x509/x509_ext.c in GnuTLS before 3.3.14 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted CRL distribution point. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3308 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2015-6251 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in GnuTLS before 3.3.17 and 3.4.x before 3.4.4 allows remote attackers to cause a denial of service via a long DistinguishedName (DN) entry in a certificate. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6251 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2015-8313 CVE STATUS: Patched CVE SUMMARY: GnuTLS incorrectly validates the first byte of padding in CBC modes CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8313 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2016-4456 CVE STATUS: Patched CVE SUMMARY: The "GNUTLS_KEYLOGFILE" environment variable in gnutls 3.4.12 allows remote attackers to overwrite and corrupt arbitrary files in the filesystem. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4456 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2016-7444 CVE STATUS: Patched CVE SUMMARY: The gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS before 3.4.15 and 3.5.x before 3.5.4 does not verify the serial length of an OCSP response, which might allow remote attackers to bypass an intended certificate validation mechanism via vectors involving trailing bytes left by gnutls_malloc. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7444 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2017-5334 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in the gnutls_x509_ext_import_proxy function in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allows remote attackers to have unspecified impact via crafted policy language information in an X.509 certificate with a Proxy Certificate Information extension. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5334 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2017-5335 CVE STATUS: Patched CVE SUMMARY: The stream reading functions in lib/opencdk/read-packet.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to cause a denial of service (out-of-memory error and crash) via a crafted OpenPGP certificate. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5335 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2017-5336 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the cdk_pk_get_keyid function in lib/opencdk/pubkey.c in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allows remote attackers to have unspecified impact via a crafted OpenPGP certificate. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5336 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2017-5337 CVE STATUS: Patched CVE SUMMARY: Multiple heap-based buffer overflows in the read_attribute function in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 allow remote attackers to have unspecified impact via a crafted OpenPGP certificate. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5337 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2017-7507 CVE STATUS: Patched CVE SUMMARY: GnuTLS version 3.5.12 and earlier is vulnerable to a NULL pointer dereference while decoding a status response TLS extension with valid contents. This could lead to a crash of the GnuTLS server application. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7507 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2017-7869 CVE STATUS: Patched CVE SUMMARY: GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integer overflow and heap-based buffer overflow related to the cdk_pkt_read function in opencdk/read-packet.c. This issue (which is a subset of the vendor's GNUTLS-SA-2017-3 report) is fixed in 3.5.10. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7869 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2018-10844 CVE STATUS: Patched CVE SUMMARY: It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10844 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2018-10845 CVE STATUS: Patched CVE SUMMARY: It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10845 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2018-10846 CVE STATUS: Patched CVE SUMMARY: A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of "Just in Time" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10846 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2018-16868 CVE STATUS: Patched CVE SUMMARY: A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16868 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2019-3829 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in gnutls versions from 3.5.8 before 3.6.7. A memory corruption (double free) vulnerability in the certificate verification API. Any client or server application that verifies X.509 certificates with GnuTLS 3.5.8 or later is affected. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3829 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2019-3836 CVE STATUS: Patched CVE SUMMARY: It was discovered in gnutls before version 3.6.7 upstream that there is an uninitialized pointer access in gnutls versions 3.6.3 or later which can be triggered by certain post-handshake messages. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3836 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2020-11501 CVE STATUS: Patched CVE SUMMARY: GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 (2018-07-16) because of an error in a 2017-10-06 commit. The DTLS client always uses 32 '\0' bytes instead of a random value, and thus contributes no randomness to a DTLS negotiation. This breaks the security guarantees of the DTLS protocol. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11501 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2020-13777 CVE STATUS: Patched CVE SUMMARY: GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13777 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2020-24659 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24659 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2021-20231 CVE STATUS: Patched CVE SUMMARY: A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20231 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2021-20232 CVE STATUS: Patched CVE SUMMARY: A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20232 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2021-4209 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference flaw was found in GnuTLS. As Nettle's hash update functions internally call memcpy, providing zero-length input may cause undefined behavior. This flaw leads to a denial of service after authentication in rare circumstances. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4209 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2022-2509 CVE STATUS: Patched CVE SUMMARY: A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2509 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2023-0361 CVE STATUS: Patched CVE SUMMARY: A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0361 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2023-5981 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5981 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2024-0553 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0553 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2024-0567 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0567 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2024-12243 CVE STATUS: Patched CVE SUMMARY: A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-12243 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2025-32988 CVE STATUS: Patched CVE SUMMARY: A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32988 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2025-32989 CVE STATUS: Patched CVE SUMMARY: A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32989 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2025-32990 CVE STATUS: Patched CVE SUMMARY: A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32990 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2025-6395 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite(). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-6395 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2025-9820 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-9820 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2026-1584 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in gnutls. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted ClientHello message with an invalid Pre-Shared Key (PSK) binder value during the TLS handshake. This can lead to a NULL pointer dereference, causing the server to crash and resulting in a remote Denial of Service (DoS) condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-1584 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2026-33845 CVE STATUS: Unpatched CVE SUMMARY: A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-33845 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2026-3832 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3832 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2026-3833 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3833 LAYER: meta PACKAGE NAME: gnutls PACKAGE VERSION: 3.8.4 CVE: CVE-2026-42010 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-42010 LAYER: meta PACKAGE NAME: mesa PACKAGE VERSION: 2_24.0.7 CVE: CVE-2001-0474 CVE STATUS: Patched CVE SUMMARY: Utah-glx in Mesa before 3.3-14 on Mandrake Linux 7.2 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/glxmemory file. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0474 LAYER: meta PACKAGE NAME: mesa PACKAGE VERSION: 2_24.0.7 CVE: CVE-2013-1872 CVE STATUS: Patched CVE SUMMARY: The Intel drivers in Mesa 8.0.x and 9.0.x allow context-dependent attackers to cause a denial of service (reachable assertion and crash) and possibly execute arbitrary code via vectors involving 3d graphics that trigger an out-of-bounds array access, related to the fs_visitor::remove_dead_constants function. NOTE: this issue might be related to CVE-2013-0796. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1872 LAYER: meta PACKAGE NAME: mesa PACKAGE VERSION: 2_24.0.7 CVE: CVE-2013-1993 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in X.org libGLX in Mesa 9.1.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XF86DRIOpenConnection and (2) XF86DRIGetClientDriverName functions. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1993 LAYER: meta PACKAGE NAME: mesa PACKAGE VERSION: 2_24.0.7 CVE: CVE-2019-5068 CVE STATUS: Patched CVE SUMMARY: An exploitable shared memory permissions vulnerability exists in the functionality of X11 Mesa 3D Graphics Library 19.1.2. An attacker can access the shared memory without any specific permissions to trigger this vulnerability. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 5.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5068 LAYER: meta PACKAGE NAME: mesa PACKAGE VERSION: 2_24.0.7 CVE: CVE-2023-45913 CVE STATUS: Patched CVE SUMMARY: Mesa v23.0.4 was discovered to contain a NULL pointer dereference via the function dri2GetGlxDrawableFromXDrawableId(). This vulnerability is triggered when the X11 server sends an DRI2_BufferSwapComplete event unexpectedly when the application is using DRI3. NOTE: this is disputed because there is no scenario in which the vulnerability was demonstrated. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-45913 LAYER: meta PACKAGE NAME: mesa PACKAGE VERSION: 2_24.0.7 CVE: CVE-2023-45919 CVE STATUS: Patched CVE SUMMARY: Mesa 23.0.4 was discovered to contain a buffer over-read in glXQueryServerString(). NOTE: this is disputed because there are no common situations in which users require uninterrupted operation with an attacker-controller server. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-45919 LAYER: meta PACKAGE NAME: mesa PACKAGE VERSION: 2_24.0.7 CVE: CVE-2023-45922 CVE STATUS: Patched CVE SUMMARY: glx_pbuffer.c in Mesa 23.0.4 was discovered to contain a segmentation violation when calling __glXGetDrawableAttribute(). NOTE: this is disputed because there are no common situations in which users require uninterrupted operation with an attacker-controller server. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-45922 LAYER: meta PACKAGE NAME: mesa PACKAGE VERSION: 2_24.0.7 CVE: CVE-2023-45931 CVE STATUS: Patched CVE SUMMARY: Mesa 23.0.4 was discovered to contain a NULL pointer dereference in check_xshm() for the has_error state. NOTE: this is disputed because there is no scenario in which the vulnerability was demonstrated. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-45931 LAYER: meta PACKAGE NAME: mesa PACKAGE VERSION: 2_24.0.7 CVE: CVE-2026-29075 CVE STATUS: Patched CVE SUMMARY: Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prior, checking out of untrusted code in benchmarks.yml workflow may lead to code execution in privileged runner. This issue has been patched via commit c35b8cd. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-29075 LAYER: meta PACKAGE NAME: mesa PACKAGE VERSION: 2_24.0.7 CVE: CVE-2026-40393 CVE STATUS: Unpatched CVE SUMMARY: In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party, and is then used for alloca. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-40393 LAYER: meta-oe PACKAGE NAME: tmux PACKAGE VERSION: 3.3a CVE: CVE-2011-1496 CVE STATUS: Patched CVE SUMMARY: tmux 1.3 and 1.4 does not properly drop group privileges, which allows local users to gain utmp group privileges via a filename to the -S command-line option. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1496 LAYER: meta-oe PACKAGE NAME: tmux PACKAGE VERSION: 3.3a CVE: CVE-2020-27347 CVE STATUS: Patched CVE SUMMARY: In tmux before version 3.1c the function input_csi_dispatch_sgr_colon() in file input.c contained a stack-based buffer-overflow that can be exploited by terminal output. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27347 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2012-4559 CVE STATUS: Patched CVE SUMMARY: Multiple double free vulnerabilities in the (1) agent_sign_data function in agent.c, (2) channel_request function in channels.c, (3) ssh_userauth_pubkey function in auth.c, (4) sftp_parse_attr_3 function in sftp.c, and (5) try_publickey_from_file function in keyfiles.c in libssh before 0.5.3 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4559 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2012-4560 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in libssh before 0.5.3 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4560 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2012-4561 CVE STATUS: Patched CVE SUMMARY: The (1) publickey_make_dss, (2) publickey_make_rsa, (3) signature_from_string, (4) ssh_do_sign, and (5) ssh_sign_session_id functions in keys.c in libssh before 0.5.3 free "an invalid pointer on an error path," which might allow remote attackers to cause a denial of service (crash) via unspecified vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4561 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2012-4562 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in libssh before 0.5.3 allow remote attackers to cause a denial of service (infinite loop or crash) and possibly execute arbitrary code via unspecified vectors, which triggers a buffer overflow, infinite loop, or possibly some other unspecified vulnerabilities. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4562 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2012-6063 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in the sftp_mkdir function in sftp.c in libssh before 0.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors, a different vector than CVE-2012-4559. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6063 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2013-0176 CVE STATUS: Patched CVE SUMMARY: The publickey_from_privatekey function in libssh before 0.5.4, when no algorithm is matched during negotiations, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a "Client: Diffie-Hellman Key Exchange Init" packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0176 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2014-0017 CVE STATUS: Patched CVE SUMMARY: The RAND_bytes function in libssh before 0.6.3, when forking is enabled, does not properly reset the state of the OpenSSL pseudo-random number generator (PRNG), which causes the state to be shared between children processes and allows local users to obtain sensitive information by leveraging a pid collision. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0017 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2014-8132 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in the ssh_packet_kexinit function in kex.c in libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to cause a denial of service via a crafted kexinit packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8132 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2015-3146 CVE STATUS: Patched CVE SUMMARY: The (1) SSH_MSG_NEWKEYS and (2) SSH_MSG_KEXDH_REPLY packet handlers in package_cb.c in libssh before 0.6.5 do not properly validate state, which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted SSH packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3146 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2016-0739 CVE STATUS: Patched CVE SUMMARY: libssh before 0.7.3 improperly truncates ephemeral secrets generated for the (1) diffie-hellman-group1 and (2) diffie-hellman-group14 key exchange methods to 128 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a "bits/bytes confusion bug." CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0739 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2018-10933 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10933 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2019-14889 CVE STATUS: Patched CVE SUMMARY: A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14889 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2020-16135 CVE STATUS: Patched CVE SUMMARY: libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16135 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2020-1730 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1730 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2021-3634 CVE STATUS: Patched CVE SUMMARY: A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating "secret_hash" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3634 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2023-1667 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference was found In libssh during re-keying with algorithm guessing. This issue may allow an authenticated client to cause a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1667 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2023-2283 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in the`pki_verify_data_signature` function in memory allocation problems. This issue may happen if there is insufficient memory or the memory usage is limited. The problem is caused by the return value `rc,` which is initialized to SSH_ERROR and later rewritten to save the return value of the function call `pki_key_check_hash_compatible.` The value of the variable is not changed between this point and the cryptographic verification. Therefore any error between them calls `goto error` returning SSH_OK. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2283 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2023-3603 CVE STATUS: Patched CVE SUMMARY: A missing allocation check in sftp server processing read requests may cause a NULL dereference on low-memory conditions. The malicious client can request up to 4GB SFTP reads, causing allocation of up to 4GB buffers, which was not being checked for failure. This will likely crash the authenticated user's sftp server connection (if implemented as forking as recommended). For thread-based servers, this might also cause DoS for legitimate users. Given this code is not in any released versions, no security releases have been issued. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3603 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2023-48795 CVE STATUS: Patched CVE SUMMARY: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-48795 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2023-6004 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into the command of the features mentioned through the hostname parameter. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6004 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2023-6918 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6918 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2025-14821 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\etc directory, which can be created and modified by unprivileged local users. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-14821 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2025-4877 CVE STATUS: Patched CVE SUMMARY: There's a vulnerability in the libssh package where when a libssh consumer passes in an unexpectedly large input buffer to ssh_get_fingerprint_hash() function. In such cases the bin_to_base64() function can experience an integer overflow leading to a memory under allocation, when that happens it's possible that the program perform out of bounds write leading to a heap corruption. This issue affects only 32-bits builds of libssh. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-4877 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2025-4878 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-4878 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2025-5318 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-5318 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2025-5351 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the key export functionality of libssh. The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free issue if an additional failure occurs later in the function. This condition may result in heap corruption or application instability in low-memory scenarios, posing a risk to system reliability where key export operations are performed. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-5351 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2025-5372 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-5372 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2025-5449 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the SFTP server message decoding logic of libssh. The issue occurs due to an incorrect packet length check that allows an integer overflow when handling large payload sizes on 32-bit systems. This issue leads to failed memory allocation and causes the server process to crash, resulting in a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-5449 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2025-5987 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library. If an attacker manages to exhaust the heap space, this error is not detected and may lead to libssh using a partially initialized cipher context. This occurs because the OpenSSL error code returned aliases with the SSH_OK code, resulting in libssh not properly detecting the error returned by the OpenSSL library. This issue can lead to undefined behavior, including compromised data confidentiality and integrity or crashes. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-5987 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2025-8114 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libssh, a library that implements the SSH protocol. When calculating the session ID during the key exchange (KEX) process, an allocation failure in cryptographic functions may lead to a NULL pointer dereference. This issue can cause the client or server to crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-8114 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2025-8277 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. The library fails to free memory during these rekey operations, which can gradually exhaust system memory. This issue can lead to crashes on the client side, particularly when using libgcrypt, which impacts application stability and availability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-8277 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2026-0964 CVE STATUS: Unpatched CVE SUMMARY: A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences. This is the same issue as in OpenSSH, tracked as CVE-2019-6111. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-0964 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2026-0965 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libssh where it can attempt to open arbitrary files during configuration parsing. A local attacker can exploit this by providing a malicious configuration file or when the system is misconfigured. This vulnerability could lead to a Denial of Service (DoS) by causing the system to try and access dangerous files, such as block devices or large system files, which can disrupt normal operations. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-0965 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2026-0966 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libssh. The API function `ssh_get_hexa()` is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI (Generic Security Service Application Program Interface) authentication if the server's logging verbosity is set to `SSH_LOG_PACKET (3)` or higher. Successful exploitation could lead to a self-Denial of Service of the per-connection daemon process. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-0966 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2026-0967 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the `match_pattern()` function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion, resulting in a Denial of Service (DoS) for the client. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 2.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-0967 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2026-0968 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libssh in which a malicious SFTP (SSH File Transfer Protocol) server can exploit this by sending a malformed 'longname' field within an `SSH_FXP_NAME` message during a file listing operation. This missing null check can lead to reading beyond allocated memory on the heap. This can cause unexpected behavior or lead to a denial of service (DoS) due to application crashes. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-0968 LAYER: meta-oe PACKAGE NAME: libssh PACKAGE VERSION: 0.10.6 CVE: CVE-2026-3731 CVE STATUS: Unpatched CVE SUMMARY: A weakness has been identified in libssh up to 0.11.3. The impacted element is the function sftp_extensions_get_name/sftp_extensions_get_data of the file src/sftp.c of the component SFTP Extension Name Handler. Executing a manipulation of the argument idx can lead to out-of-bounds read. The attack may be performed from remote. Upgrading to version 0.11.4 and 0.12.0 is sufficient to resolve this issue. This patch is called 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60. You should upgrade the affected component. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 6.9 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3731 LAYER: meta PACKAGE NAME: lrzsz PACKAGE VERSION: 0.12.20 CVE: CVE-2018-10195 CVE STATUS: Patched CVE SUMMARY: lrzsz before version 0.12.21~rc can leak information to the receiving side due to an incorrect length check in the function zsdata that causes a size_t to wrap around. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10195 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2004-0691 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0691 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2004-0692 CVE STATUS: Patched CVE SUMMARY: The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0692 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2004-0693 CVE STATUS: Patched CVE SUMMARY: The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0693 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2005-0627 CVE STATUS: Patched CVE SUMMARY: Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0627 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2006-4811 CVE STATUS: Patched CVE SUMMARY: Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4811 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2007-0242 CVE STATUS: Patched CVE SUMMARY: The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0242 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2007-3388 CVE STATUS: Patched CVE SUMMARY: Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3388 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2007-4137 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4137 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2009-2700 CVE STATUS: Patched CVE SUMMARY: src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2700 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2010-1766 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1766 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2010-2621 CVE STATUS: Patched CVE SUMMARY: The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2621 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2010-5076 CVE STATUS: Patched CVE SUMMARY: QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5076 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2011-3193 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2011-3194 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3194 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2012-5624 CVE STATUS: Patched CVE SUMMARY: The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5624 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2012-6093 CVE STATUS: Patched CVE SUMMARY: The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6093 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2013-0254 CVE STATUS: Patched CVE SUMMARY: The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0254 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2013-4549 CVE STATUS: Patched CVE SUMMARY: QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4549 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2014-0190 CVE STATUS: Patched CVE SUMMARY: The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0190 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-0295 CVE STATUS: Patched CVE SUMMARY: The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0295 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-1290 CVE STATUS: Patched CVE SUMMARY: The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1290 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-1858 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1858 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-1859 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1859 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-1860 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1860 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-7298 CVE STATUS: Patched CVE SUMMARY: ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7298 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-9541 CVE STATUS: Patched CVE SUMMARY: Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9541 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2017-10904 CVE STATUS: Patched CVE SUMMARY: Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10904 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2017-10905 CVE STATUS: Patched CVE SUMMARY: A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10905 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2017-15011 CVE STATUS: Patched CVE SUMMARY: The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15011 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-15518 CVE STATUS: Patched CVE SUMMARY: QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15518 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19865 CVE STATUS: Patched CVE SUMMARY: A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19865 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19869 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19869 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19870 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19870 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19871 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19871 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19872 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19872 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19873 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19873 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-21035 CVE STATUS: Patched CVE SUMMARY: In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21035 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-0569 CVE STATUS: Patched CVE SUMMARY: Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 5.7 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0569 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-0570 CVE STATUS: Patched CVE SUMMARY: Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0570 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-12267 CVE STATUS: Patched CVE SUMMARY: setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12267 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-13962 CVE STATUS: Patched CVE SUMMARY: Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.) CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13962 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-17507 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17507 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-24742 CVE STATUS: Patched CVE SUMMARY: An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24742 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2021-28025 CVE STATUS: Patched CVE SUMMARY: Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28025 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2021-3481 CVE STATUS: Patched CVE SUMMARY: A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3481 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2021-38593 CVE STATUS: Patched CVE SUMMARY: Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38593 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2022-25255 CVE STATUS: Patched CVE SUMMARY: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25255 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2022-25634 CVE STATUS: Patched CVE SUMMARY: Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25634 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2022-40983 CVE STATUS: Patched CVE SUMMARY: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40983 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2022-43591 CVE STATUS: Patched CVE SUMMARY: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43591 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-24607 CVE STATUS: Patched CVE SUMMARY: Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24607 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32573 CVE STATUS: Unpatched CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32573 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32762 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32762 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32763 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32763 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-33285 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33285 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-34410 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34410 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-37369 CVE STATUS: Unpatched CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37369 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-38197 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38197 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-43114 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43114 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-51714 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51714 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-25580 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-25580 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-30161 CVE STATUS: Patched CVE SUMMARY: In Qt 6.5.4, 6.5.5, and 6.6.2, QNetworkReply header data might be accessed via a dangling pointer in Qt for WebAssembly (wasm). (Earlier and later versions are unaffected.) CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-30161 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-36048 CVE STATUS: Unpatched CVE SUMMARY: QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36048 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-39936 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed.. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39936 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2025-30348 CVE STATUS: Unpatched CVE SUMMARY: encodeText in QDom in Qt before 6.8.0 has a complex algorithm involving XML string copy and inline replacement of parts of a string (with relocation of later data). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-30348 LAYER: meta-qt5 PACKAGE NAME: qtcharts PACKAGE VERSION: 5.15.13+git CVE: CVE-2025-5683 CVE STATUS: Patched CVE SUMMARY: When loading a specifically crafted ICNS format image file in QImage then it will trigger a crash. This issue affects Qt from versions 6.3.0 through 6.5.9, from 6.6.0 through 6.8.4, 6.9.0. This is fixed in 6.5.10, 6.8.5 and 6.9.1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 5.1 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-5683 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2009-0586 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the gst_vorbis_tag_add_coverart function (gst-libs/gst/tag/gstvorbistag.c) in vorbistag in gst-plugins-base (aka gstreamer-plugins-base) before 0.10.23 in GStreamer allows context-dependent attackers to execute arbitrary code via a crafted COVERART tag that is converted from a base64 representation, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0586 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2015-0797 CVE STATUS: Patched CVE SUMMARY: GStreamer before 1.4.5, as used in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 on Linux, allows remote attackers to cause a denial of service (buffer over-read and application crash) or possibly execute arbitrary code via crafted H.264 video data in an m4v file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0797 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2016-10198 CVE STATUS: Patched CVE SUMMARY: The gst_aac_parse_sink_setcaps function in gst/audioparsers/gstaacparse.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted audio file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10198 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2016-10199 CVE STATUS: Patched CVE SUMMARY: The qtdemux_tag_add_str_full function in gst/isomp4/qtdemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted tag value. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10199 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2016-9445 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the vmnc decoder in the gstreamer allows remote attackers to cause a denial of service (crash) via large width and height values, which triggers a buffer overflow. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9445 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2016-9446 CVE STATUS: Patched CVE SUMMARY: The vmnc decoder in the gstreamer does not initialize the render canvas, which allows remote attackers to obtain sensitive information as demonstrated by thumbnailing a simple 1 frame vmnc movie that does not draw to the allocated render canvas. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9446 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2016-9447 CVE STATUS: Patched CVE SUMMARY: The ROM mappings in the NSF decoder in gstreamer 0.10.x allow remote attackers to cause a denial of service (out-of-bounds read or write) and possibly execute arbitrary code via a crafted NSF music file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9447 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2016-9634 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via the start_line parameter. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9634 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2016-9635 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by providing a 'skip count' that goes beyond initialized buffer. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9635 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2016-9636 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by providing a 'write count' that goes beyond the initialized buffer. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9636 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2016-9807 CVE STATUS: Patched CVE SUMMARY: The flx_decode_chunks function in gst/flx/gstflxdec.c in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted FLIC file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9807 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2016-9808 CVE STATUS: Patched CVE SUMMARY: The FLIC decoder in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (out-of-bounds write and crash) via a crafted series of skip and count pairs. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9808 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2016-9809 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the gst_h264_parse_set_caps function in GStreamer before 1.10.2 allows remote attackers to have unspecified impact via a crafted file, which triggers an out-of-bounds read. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9809 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2016-9810 CVE STATUS: Patched CVE SUMMARY: The gst_decode_chain_free_internal function in the flxdex decoder in gst-plugins-good in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (invalid memory read and crash) via an invalid file, which triggers an incorrect unref call. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9810 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2016-9811 CVE STATUS: Patched CVE SUMMARY: The windows_icon_typefind function in gst-plugins-base in GStreamer before 1.10.2, when G_SLICE is set to always-malloc, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted ico file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9811 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2016-9812 CVE STATUS: Patched CVE SUMMARY: The gst_mpegts_section_new function in the mpegts decoder in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a too small section. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9812 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2016-9813 CVE STATUS: Patched CVE SUMMARY: The _parse_pat function in the mpegts parser in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9813 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2017-5837 CVE STATUS: Patched CVE SUMMARY: The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (floating point exception and crash) via a crafted video file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5837 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2017-5838 CVE STATUS: Patched CVE SUMMARY: The gst_date_time_new_from_iso8601_string function in gst/gstdatetime.c in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a malformed datetime string. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5838 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2017-5839 CVE STATUS: Patched CVE SUMMARY: The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 does not properly limit recursion, which allows remote attackers to cause a denial of service (stack overflow and crash) via vectors involving nested WAVEFORMATEX. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5839 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2017-5840 CVE STATUS: Patched CVE SUMMARY: The qtdemux_parse_samples function in gst/isomp4/qtdemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving the current stts index. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5840 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2017-5841 CVE STATUS: Patched CVE SUMMARY: The gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving ncdt tags. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5841 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2017-5842 CVE STATUS: Patched CVE SUMMARY: The html_context_handle_element function in gst/subparse/samiparse.c in gst-plugins-base in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted SMI file, as demonstrated by OneNote_Manager.smi. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5842 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2017-5843 CVE STATUS: Patched CVE SUMMARY: Multiple use-after-free vulnerabilities in the (1) gst_mini_object_unref, (2) gst_tag_list_unref, and (3) gst_mxf_demux_update_essence_tracks functions in GStreamer before 1.10.3 allow remote attackers to cause a denial of service (crash) via vectors involving stream tags, as demonstrated by 02785736.mxf. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5843 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2017-5844 CVE STATUS: Patched CVE SUMMARY: The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (floating point exception and crash) via a crafted ASF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5844 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2017-5845 CVE STATUS: Patched CVE SUMMARY: The gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via a ncdt sub-tag that "goes behind" the surrounding tag. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5845 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2017-5846 CVE STATUS: Patched CVE SUMMARY: The gst_asf_demux_process_ext_stream_props function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors related to the number of languages in a video file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5846 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2017-5847 CVE STATUS: Patched CVE SUMMARY: The gst_asf_demux_process_ext_content_desc function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving extended content descriptors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5847 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2017-5848 CVE STATUS: Patched CVE SUMMARY: The gst_ps_demux_parse_psm function in gst/mpegdemux/gstmpegdemux.c in gst-plugins-bad in GStreamer allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors involving PSM parsing. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5848 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2019-9928 CVE STATUS: Patched CVE SUMMARY: GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server, potentially allowing remote code execution. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9928 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2021-3497 CVE STATUS: Patched CVE SUMMARY: GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3497 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2021-3498 CVE STATUS: Patched CVE SUMMARY: GStreamer before 1.18.4 might cause heap corruption when parsing certain malformed Matroska files. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3498 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2021-3522 CVE STATUS: Patched CVE SUMMARY: GStreamer before 1.18.4 may perform an out-of-bounds read when handling certain ID3v2 tags. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3522 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2022-1920 CVE STATUS: Patched CVE SUMMARY: Integer overflow in matroskademux element in gst_matroska_demux_add_wvpk_header function which allows a heap overwrite while parsing matroska files. Potential for arbitrary code execution through heap overwrite. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1920 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2022-1921 CVE STATUS: Patched CVE SUMMARY: Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1921 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2022-1922 CVE STATUS: Patched CVE SUMMARY: DOS / potential heap overwrite in mkv demuxing using zlib decompression. Integer overflow in matroskademux element in gst_matroska_decompress_data function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1922 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2022-1923 CVE STATUS: Patched CVE SUMMARY: DOS / potential heap overwrite in mkv demuxing using bzip decompression. Integer overflow in matroskademux element in bzip decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1923 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2022-1924 CVE STATUS: Patched CVE SUMMARY: DOS / potential heap overwrite in mkv demuxing using lzo decompression. Integer overflow in matroskademux element in lzo decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1924 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2022-1925 CVE STATUS: Patched CVE SUMMARY: DOS / potential heap overwrite in mkv demuxing using HEADERSTRIP decompression. Integer overflow in matroskaparse element in gst_matroska_decompress_data function which causes a heap overflow. Due to restrictions on chunk sizes in the matroskademux element, the overflow can't be triggered, however the matroskaparse element has no size checks. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1925 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2022-2122 CVE STATUS: Patched CVE SUMMARY: DOS / potential heap overwrite in qtdemux using zlib decompression. Integer overflow in qtdemux element in qtdemux_inflate function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2122 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2023-37327 CVE STATUS: Patched CVE SUMMARY: GStreamer FLAC File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of FLAC audio files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-20775. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37327 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2023-37328 CVE STATUS: Patched CVE SUMMARY: GStreamer PGS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of PGS subtitle files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. . Was ZDI-CAN-20994. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37328 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2023-37329 CVE STATUS: Patched CVE SUMMARY: GStreamer SRT File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of SRT subtitle files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-20968. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37329 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2023-38103 CVE STATUS: Patched CVE SUMMARY: GStreamer RealMedia File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of MDPR chunks. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-21443. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38103 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2023-38104 CVE STATUS: Patched CVE SUMMARY: GStreamer RealMedia File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of MDPR chunks. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-21444. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38104 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2023-40474 CVE STATUS: Patched CVE SUMMARY: GStreamer MXF File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of MXF video files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. . Was ZDI-CAN-21660. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-40474 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2023-40475 CVE STATUS: Patched CVE SUMMARY: GStreamer MXF File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of MXF video files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. . Was ZDI-CAN-21661. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-40475 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2023-40476 CVE STATUS: Patched CVE SUMMARY: GStreamer H265 Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of H265 encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. . Was ZDI-CAN-21768. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-40476 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2023-44429 CVE STATUS: Patched CVE SUMMARY: GStreamer AV1 Codec Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of AV1 encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22226. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-44429 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2023-44446 CVE STATUS: Patched CVE SUMMARY: GStreamer MXF File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of MXF video files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22299. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-44446 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2023-50186 CVE STATUS: Patched CVE SUMMARY: GStreamer AV1 Video Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of metadata within AV1 encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22300. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-50186 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-0444 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-bad in 1.22 branch since 1.22.9 CVE SUMMARY: GStreamer AV1 Video Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of tile list data within AV1-encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22873. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0444 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-4453 CVE STATUS: Patched CVE SUMMARY: GStreamer EXIF Metadata Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of EXIF metadata. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. . Was ZDI-CAN-23896. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-4453 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47537 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. The program attempts to reallocate the memory pointed to by stream->samples to accommodate stream->n_samples + samples_count elements of type QtDemuxSample. The problem is that samples_count is read from the input file. And if this value is big enough, this can lead to an integer overflow during the addition. As a consequence, g_try_renew might allocate memory for a significantly smaller number of elements than intended. Following this, the program iterates through samples_count elements and attempts to write samples_count number of elements, potentially exceeding the actual allocated memory size and causing an OOB-write. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 8.6 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47537 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47538 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-base CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. A stack-buffer overflow has been detected in the `vorbis_handle_identification_packet` function within `gstvorbisdec.c`. The position array is a stack-allocated buffer of size 64. If vd->vi.channels exceeds 64, the for loop will write beyond the boundaries of the position array. The value written will always be `GST_AUDIO_CHANNEL_POSITION_NONE`. This vulnerability allows someone to overwrite the EIP address allocated in the stack. Additionally, this bug can overwrite the `GstAudioInfo` info structure. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 8.6 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47538 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47539 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. An out-of-bounds write vulnerability was identified in the convert_to_s334_1a function in isomp4/qtdemux.c. The vulnerability arises due to a discrepancy between the size of memory allocated to the storage array and the loop condition i * 2 < ccpair_size. Specifically, when ccpair_size is even, the allocated size in storage does not match the loop's expected bounds, resulting in an out-of-bounds write. This bug allows for the overwriting of up to 3 bytes beyond the allocated bounds of the storage array. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 8.6 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47539 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47540 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. When size < 4, the program calls gst_buffer_unmap with an uninitialized map variable. Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 8.6 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47540 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47541 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-base CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. An OOB-write vulnerability has been identified in the gst_ssa_parse_remove_override_codes function of the gstssaparse.c file. This function is responsible for parsing and removing SSA (SubStation Alpha) style override codes, which are enclosed in curly brackets ({}). The issue arises when a closing curly bracket "}" appears before an opening curly bracket "{" in the input string. In this case, memmove() incorrectly duplicates a substring. With each successive loop iteration, the size passed to memmove() becomes progressively larger (strlen(end+1)), leading to a write beyond the allocated memory bounds. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 6.9 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47541 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47542 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-base CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference has been discovered in the id3v2_read_synch_uint function, located in id3v2.c. If id3v2_read_synch_uint is called with a null work->hdr.frame_data, the pointer guint8 *data is accessed without validation, resulting in a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 6.8 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47542 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47543 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been discovered in qtdemux_parse_container function within qtdemux.c. In the parent function qtdemux_parse_node, the value of length is not well checked. So, if length is big enough, it causes the pointer end to point beyond the boundaries of buffer. Subsequently, in the qtdemux_parse_container function, the while loop can trigger an OOB-read, accessing memory beyond the bounds of buf. This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 5.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47543 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47544 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. The function qtdemux_parse_sbgp in qtdemux.c is affected by a null dereference vulnerability. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 6.8 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47544 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47545 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in qtdemux_parse_trak function within qtdemux.c. During the strf parsing case, the subtraction size -= 40 can lead to a negative integer overflow if it is less than 40. If this happens, the subsequent call to gst_buffer_fill will invoke memcpy with a large tocopy size, resulting in an OOB-read. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 6.9 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47545 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47546 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in extract_cc_from_data function within qtdemux.c. In the FOURCC_c708 case, the subtraction atom_length - 8 may result in an underflow if atom_length is less than 8. When that subtraction underflows, *cclen ends up being a large number, and then cclen is passed to g_memdup2 leading to an out-of-bounds (OOB) read. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 6.9 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47546 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47596 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been discovered in the qtdemux_parse_svq3_stsd_data function within qtdemux.c. In the FOURCC_SMI_ case, seqh_size is read from the input file without proper validation. If seqh_size is greater than the remaining size of the data buffer, it can lead to an OOB-read in the following call to gst_buffer_fill, which internally uses memcpy. This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 5.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47596 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47597 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been detected in the function qtdemux_parse_samples within qtdemux.c. This issue arises when the function qtdemux_parse_samples reads data beyond the boundaries of the stream->stco buffer. The following code snippet shows the call to qt_atom_parser_get_offset_unchecked, which leads to the OOB-read when parsing the provided GHSL-2024-245_crash1.mp4 file. This issue may lead to read up to 8 bytes out-of-bounds. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 5.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47597 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47598 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been discovered in the qtdemux_merge_sample_table function within qtdemux.c. The problem is that the size of the stts buffer isn’t properly checked before reading stts_duration, allowing the program to read 4 bytes beyond the boundaries of stts->data. This vulnerability reads up to 4 bytes past the allocated bounds of the stts array. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 5.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47598 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47599 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_jpeg_dec_negotiate function in gstjpegdec.c. This function does not check for a NULL return value from gst_video_decoder_set_output_state. When this happens, dereferences of the outstate pointer will lead to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 6.8 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47599 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47600 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-base CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been detected in the format_channel_mask function in gst-discoverer.c. The vulnerability affects the local array position, which is defined with a fixed size of 64 elements. However, the function gst_discoverer_audio_info_get_channels may return a guint channels value greater than 64. This causes the for loop to attempt access beyond the bounds of the position array, resulting in an OOB-read when an index greater than 63 is used. This vulnerability can result in reading unintended bytes from the stack. Additionally, the dereference of value->value_nick after the OOB-read can lead to further memory corruption or undefined behavior. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 5.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47600 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47601 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_parse_blockgroup_or_simpleblock function within matroska-demux.c. This function does not properly check the validity of the GstBuffer *sub pointer before performing dereferences. As a result, null pointer dereferences may occur. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 6.8 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47601 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47602 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. This function does not properly check the validity of the stream->codec_priv pointer in the following code. If stream->codec_priv is NULL, the call to GST_READ_UINT16_LE will attempt to dereference a null pointer, leading to a crash of the application. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 6.8 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47602 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47603 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_update_tracks function within matroska-demux.c. The vulnerability occurs when the gst_caps_is_equal function is called with invalid caps values. If this happen, then in the function gst_buffer_get_size the call to GST_BUFFER_MEM_PTR can return a null pointer. Attempting to dereference the size field of this null pointer results in a null pointer dereference. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 6.8 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47603 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47606 CVE STATUS: Unpatched CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 8.6 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47606 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47607 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-base CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. stack-buffer overflow has been detected in the gst_opus_dec_parse_header function within `gstopusdec.c'. The pos array is a stack-allocated buffer of size 64. If n_channels exceeds 64, the for loop will write beyond the boundaries of the pos array. The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This bug allows to overwrite the EIP address allocated in the stack. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 8.6 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47607 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47613 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been identified in `gst_gdk_pixbuf_dec_flush` within `gstgdkpixbufdec.c`. This function invokes `memcpy`, using `out_pix` as the destination address. `out_pix` is expected to point to the frame 0 from the frame structure, which is read from the input file. However, in certain situations, it can points to a NULL frame, causing the subsequent call to `memcpy` to attempt writing to the null address (0x00), leading to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 8.6 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47613 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47615 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-base CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. An OOB-Write has been detected in the function gst_parse_vorbis_setup_packet within vorbis_parse.c. The integer size is read from the input file without proper validation. As a result, size can exceed the fixed size of the pad->vorbis_mode_sizes array (which size is 256). When this happens, the for loop overwrites the entire pad structure with 0s and 1s, affecting adjacent memory as well. This OOB-write can overwrite up to 380 bytes of memory beyond the boundaries of the pad->vorbis_mode_sizes array. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 8.6 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47615 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47774 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been identified in the gst_avi_subtitle_parse_gab2_chunk function within gstavisubtitle.c. The function reads the name_length value directly from the input file without checking it properly. Then, the a condition, does not properly handle cases where name_length is greater than 0xFFFFFFFF - 17, causing an integer overflow. In such scenario, the function attempts to access memory beyond the buffer leading to an OOB-read. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 5.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47774 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47775 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been found in the parse_ds64 function within gstwavparse.c. The parse_ds64 function does not check that the buffer buf contains sufficient data before attempting to read from it, doing multiple GST_READ_UINT32_LE operations without performing boundary checks. This can lead to an OOB-read when buf is smaller than expected. This vulnerability allows reading beyond the bounds of the data buffer, potentially leading to a crash (denial of service) or the leak of sensitive data. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 5.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47775 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47776 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been discovered in gst_wavparse_cue_chunk within gstwavparse.c. The vulnerability happens due to a discrepancy between the size of the data buffer and the size value provided to the function. This mismatch causes the comparison if (size < 4 + ncues * 24) to fail in some cases, allowing the subsequent loop to access beyond the bounds of the data buffer. The root cause of this discrepancy stems from a miscalculation when clipping the chunk size based on upstream data size. This vulnerability allows reading beyond the bounds of the data buffer, potentially leading to a crash (denial of service) or the leak of sensitive data. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 5.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47776 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47777 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been identified in the gst_wavparse_smpl_chunk function within gstwavparse.c. This function attempts to read 4 bytes from the data + 12 offset without checking if the size of the data buffer is sufficient. If the buffer is too small, the function reads beyond its bounds. This vulnerability may result in reading 4 bytes out of the boundaries of the data buffer. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 5.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47777 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47778 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been discovered in gst_wavparse_adtl_chunk within gstwavparse.c. This vulnerability arises due to insufficient validation of the size parameter, which can exceed the bounds of the data buffer. As a result, an OOB read occurs in the following while loop. This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 5.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47778 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47834 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. An Use-After-Free read vulnerability has been discovered affecting the processing of CodecPrivate elements in Matroska streams. In the GST_MATROSKA_ID_CODECPRIVATE case within the gst_matroska_demux_parse_stream function, a data chunk is allocated using gst_ebml_read_binary. Later, the allocated memory is freed in the gst_matroska_track_free function, by the call to g_free (track->codec_priv). Finally, the freed memory is accessed in the caps_serialize function through gst_value_serialize_buffer. The freed memory will be accessed in the gst_value_serialize_buffer function. This results in a UAF read vulnerability, as the function tries to process memory that has already been freed. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 5.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47834 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2024-47835 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-base CVE SUMMARY: GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been detected in the parse_lrc function within gstsubparse.c. The parse_lrc function calls strchr() to find the character ']' in the string line. The pointer returned by this call is then passed to g_strdup(). However, if the string line does not contain the character ']', strchr() returns NULL, and a call to g_strdup(start + 1) leads to a null pointer dereference. This vulnerability is fixed in 1.24.10. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 6.8 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-47835 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2025-2759 CVE STATUS: Ignored CVE DETAIL: not-applicable-platform CVE DESCRIPTION: affects installation packages for non Linux OSes CVE SUMMARY: GStreamer Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of GStreamer. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the product installer. The issue results from incorrect permissions on folders. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25448. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-2759 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2025-3887 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-bad CVE SUMMARY: GStreamer H265 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of H265 slice headers. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26596. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-3887 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2025-47183 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_tree function may read past the end of a heap buffer while parsing an MP4 file, leading to information disclosure. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-47183 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2025-47219 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-good CVE SUMMARY: In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_trak function may read past the end of a heap buffer while parsing an MP4 file, possibly leading to information disclosure. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-47219 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2025-47806 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-base CVE SUMMARY: In GStreamer through 1.26.1, the subparse plugin's parse_subrip_time function may write data past the bounds of a stack buffer, leading to a crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-47806 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2025-47807 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-base CVE SUMMARY: In GStreamer through 1.26.1, the subparse plugin's subrip_unescape_formatting function may dereference a NULL pointer while parsing a subtitle file, leading to a crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-47807 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2025-47808 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: this is patched in gstreamer1.0-plugins-base CVE SUMMARY: In GStreamer through 1.26.1, the subparse plugin's tmplayer_parse_line function may dereference a NULL pointer while parsing a subtitle file, leading to a crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-47808 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2025-6663 CVE STATUS: Patched CVE SUMMARY: GStreamer H266 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of H266 sei messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27381. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-6663 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2026-1940 CVE STATUS: Unpatched CVE SUMMARY: An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function. The patch added a size validation check lsize + 8 > size, but it does not account for the GST_ROUND_UP_2(lsize) used in the actual offset calculation. When lsize is an odd number, the parser advances more bytes than validated, causing OOB read. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-1940 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2026-2920 CVE STATUS: Unpatched CVE SUMMARY: GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of stream headers within ASF files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28843. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-2920 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2026-2921 CVE STATUS: Unpatched CVE SUMMARY: GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of palette data in AVI files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28854. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-2921 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2026-2922 CVE STATUS: Unpatched CVE SUMMARY: GStreamer RealMedia Demuxer Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of video packets. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28845. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-2922 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2026-2923 CVE STATUS: Unpatched CVE SUMMARY: GStreamer DVB Subtitles Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of coordinates. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28838. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-2923 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2026-3081 CVE STATUS: Unpatched CVE SUMMARY: GStreamer H.266 Codec Parser Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of decoding units. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28839. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3081 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2026-3082 CVE STATUS: Unpatched CVE SUMMARY: GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of Huffman tables. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28840. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3082 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2026-3083 CVE STATUS: Unpatched CVE SUMMARY: GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of X-QDM RTP payload elements. When parsing the packetid element, the process does not properly validate user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28850. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3083 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2026-3084 CVE STATUS: Unpatched CVE SUMMARY: GStreamer H.266 Codec Parser Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of picture partitions. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28910. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3084 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2026-3085 CVE STATUS: Unpatched CVE SUMMARY: GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of X-QDM RTP payloads. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28851. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3085 LAYER: meta PACKAGE NAME: gstreamer1.0 PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2026-3086 CVE STATUS: Unpatched CVE SUMMARY: GStreamer H.266 Codec Parser Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of APS units. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28911. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3086 LAYER: meta PACKAGE NAME: tcl PACKAGE VERSION: 8.6.13 CVE: CVE-2021-35331 CVE STATUS: Patched CVE SUMMARY: In Tcl 8.6.11, a format string vulnerability in nmakehlp.c might allow code execution via a crafted file. NOTE: multiple third parties dispute the significance of this finding CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-35331 LAYER: meta PACKAGE NAME: acl PACKAGE VERSION: 2.3.2 CVE: CVE-2009-4411 CVE STATUS: Patched CVE SUMMARY: The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when running in recursive (-R) mode, follow symbolic links even when the --physical (aka -P) or -L option is specified, which might allow local users to modify the ACL for arbitrary files or directories via a symlink attack. CVSS v2 BASE SCORE: 3.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4411 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2016-4330 CVE STATUS: Patched CVE SUMMARY: In the HDF5 1.8.16 library's failure to check if the number of dimensions for an array read from the file is within the bounds of the space allocated for it, a heap-based buffer overflow will occur, potentially leading to arbitrary code execution. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4330 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2016-4331 CVE STATUS: Patched CVE SUMMARY: When decoding data out of a dataset encoded with the H5Z_NBIT decoding, the HDF5 1.8.16 library will fail to ensure that the precision is within the bounds of the size leading to arbitrary code execution. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4331 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2016-4332 CVE STATUS: Patched CVE SUMMARY: The library's failure to check if certain message types support a particular flag, the HDF5 1.8.16 library will cast the structure to an alternative structure and then assign to fields that aren't supported by the message type and the library will write outside the bounds of the heap buffer. This can lead to code execution under the context of the library. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4332 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2016-4333 CVE STATUS: Patched CVE SUMMARY: The HDF5 1.8.16 library allocating space for the array using a value from the file has an impact within the loop for initializing said array allowing a value within the file to modify the loop's terminator. Due to this, an aggressor can cause the loop's index to point outside the bounds of the array when initializing it. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4333 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2017-17505 CVE STATUS: Patched CVE SUMMARY: In HDF5 1.10.1, there is a NULL pointer dereference in the function H5O_pline_decode in the H5Opline.c file in libhdf5.a. For example, h5dump would crash when someone opens a crafted hdf5 file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17505 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2017-17506 CVE STATUS: Patched CVE SUMMARY: In HDF5 1.10.1, there is an out of bounds read vulnerability in the function H5Opline_pline_decode in H5Opline.c in libhdf5.a. For example, h5dump would crash when someone opens a crafted hdf5 file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17506 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2017-17507 CVE STATUS: Patched CVE SUMMARY: In HDF5 1.10.1, there is an out of bounds read vulnerability in the function H5T_conv_struct_opt in H5Tconv.c in libhdf5.a. For example, h5dump would crash when someone opens a crafted hdf5 file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17507 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2017-17508 CVE STATUS: Patched CVE SUMMARY: In HDF5 1.10.1, there is a divide-by-zero vulnerability in the function H5T_set_loc in the H5T.c file in libhdf5.a. For example, h5dump would crash when someone opens a crafted hdf5 file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17508 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2017-17509 CVE STATUS: Patched CVE SUMMARY: In HDF5 1.10.1, there is an out of bounds write vulnerability in the function H5G__ent_decode_vec in H5Gcache.c in libhdf5.a. For example, h5dump would crash or possibly have unspecified other impact someone opens a crafted hdf5 file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17509 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-11202 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference was discovered in H5S_hyper_make_spans in H5Shyper.c in the HDF HDF5 1.10.2 library. It could allow a remote denial of service attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11202 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-11203 CVE STATUS: Patched CVE SUMMARY: A division by zero was discovered in H5D__btree_decode_key in H5Dbtree.c in the HDF HDF5 1.10.2 library. It could allow a remote denial of service attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11203 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-11204 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference was discovered in H5O__chunk_deserialize in H5Ocache.c in the HDF HDF5 1.10.2 library. It could allow a remote denial of service attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11204 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-11205 CVE STATUS: Patched CVE SUMMARY: A out of bounds read was discovered in H5VM_memcpyvv in H5VM.c in the HDF HDF5 1.10.2 library. It could allow a remote denial of service or information disclosure attack. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11205 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-11206 CVE STATUS: Patched CVE SUMMARY: An out of bounds read was discovered in H5O_fill_new_decode and H5O_fill_old_decode in H5Ofill.c in the HDF HDF5 1.10.2 library. It could allow a remote denial of service or information disclosure attack. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11206 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-11207 CVE STATUS: Patched CVE SUMMARY: A division by zero was discovered in H5D__chunk_init in H5Dchunk.c in the HDF HDF5 1.10.2 library. It could allow a remote denial of service attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11207 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-13866 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.8.20 library. There is a stack-based buffer over-read in the function H5F_addr_decode_len in H5Fint.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13866 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-13867 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.8.20 library. There is an out of bounds read in the function H5F__accum_read in H5Faccum.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13867 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-13868 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.8.20 library. There is a heap-based buffer over-read in the function H5O_fill_old_decode in H5Ofill.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13868 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-13869 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.8.20 library. There is a memcpy parameter overlap in the function H5O_link_decode in H5Olink.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13869 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-13870 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.8.20 library. There is a heap-based buffer over-read in the function H5O_link_decode in H5Olink.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13870 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-13871 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.8.20 library. There is a heap-based buffer overflow in the function H5FL_blk_malloc in H5FL.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13871 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-13872 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.8.20 library. There is a heap-based buffer overflow in the function H5G_ent_decode in H5Gent.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13872 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-13873 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.8.20 library. There is a buffer over-read in H5O_chunk_deserialize in H5Ocache.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13873 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-13874 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.8.20 library. There is a stack-based buffer overflow in the function H5FD_sec2_read in H5FDsec2.c, related to HDmemset. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13874 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-13875 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.8.20 library. There is an out-of-bounds read in the function H5VM_memcpyvv in H5VM.c. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13875 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-13876 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.8.20 library. There is a stack-based buffer overflow in the function H5FD_sec2_read in H5FDsec2.c, related to HDread. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13876 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-14031 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.8.20 library. There is a heap-based buffer over-read in the function H5T_copy in H5T.c. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14031 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-14033 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.8.20 library. There is a heap-based buffer over-read in the function H5O_layout_decode in H5Olayout.c, related to HDmemcpy. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14033 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-14034 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.8.20 library. There is an out of bounds read in the function H5O_pline_reset in H5Opline.c. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14034 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-14035 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.8.20 library. There is a heap-based buffer over-read in the function H5VM_memcpyvv in H5VM.c. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14035 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-14460 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.8.20 library. There is a heap-based buffer over-read in the function H5O_sdspace_decode in H5Osdspace.c. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14460 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-15671 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.10.2 library. Excessive stack consumption has been detected in the function H5P__get_cb() in H5Pint.c during an attempted parse of a crafted HDF file. This results in denial of service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15671 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-16438 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.8.20 library. There is an out of bounds read in H5L_extern_query at H5Lexternal.c. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16438 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-17233 CVE STATUS: Patched CVE SUMMARY: A SIGFPE signal is raised in the function H5D__create_chunk_file_map_hyper() of H5Dchunk.c in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. It could allow a remote denial of service attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17233 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-17234 CVE STATUS: Patched CVE SUMMARY: Memory leak in the H5O__chunk_deserialize() function in H5Ocache.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (memory consumption) via a crafted HDF5 file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17234 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-17237 CVE STATUS: Patched CVE SUMMARY: A SIGFPE signal is raised in the function H5D__chunk_set_info_real() of H5Dchunk.c in the HDF HDF5 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. This issue is different from CVE-2018-11207. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17237 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-17432 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference in H5O_sdspace_encode() in H5Osdspace.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service via a crafted HDF5 file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17432 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-17433 CVE STATUS: Patched CVE SUMMARY: A heap-based buffer overflow in ReadGifImageDesc() in gifread.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17433 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-17434 CVE STATUS: Patched CVE SUMMARY: A SIGFPE signal is raised in the function apply_filters() of h5repack_filters.c in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. It could allow a remote denial of service attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17434 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-17435 CVE STATUS: Patched CVE SUMMARY: A heap-based buffer over-read in H5O_attr_decode() in H5Oattr.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while converting an HDF file to GIF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17435 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-17436 CVE STATUS: Patched CVE SUMMARY: ReadCode() in decompress.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (invalid write access) via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17436 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-17437 CVE STATUS: Patched CVE SUMMARY: Memory leak in the H5O_dtype_decode_helper() function in H5Odtype.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (memory consumption) via a crafted HDF5 file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17437 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-17438 CVE STATUS: Patched CVE SUMMARY: A SIGFPE signal is raised in the function H5D__select_io() of H5Dselect.c in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. It could allow a remote denial of service attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17438 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2018-17439 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.10.3 library. There is a stack-based buffer overflow in the function H5S_extent_get_dims() in H5S.c. Specifically, this issue occurs while converting an HDF5 file to a GIF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17439 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2019-8396 CVE STATUS: Patched CVE SUMMARY: A buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 through 1.10.4 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while repacking an HDF5 file, aka "Invalid write of size 2." CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8396 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2019-8397 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5T_close_real in H5T.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8397 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2019-8398 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5T_get_size in H5T.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8398 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2019-9151 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5VM_memcpyvv in H5VM.c when called from H5D__compact_readvv in H5Dcompact.c. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9151 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2019-9152 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HDF HDF5 1.10.4 library. There is an out of bounds read in the function H5MM_xstrdup in H5MM.c when called from H5O_dtype_decode_helper in H5Odtype.c. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9152 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2020-10809 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in HDF5 through 1.12.0. A heap-based buffer overflow exists in the function Decompress() located in decompress.c. It can be triggered by sending a crafted file to the gif2h5 binary. It allows an attacker to cause Denial of Service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10809 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2020-10810 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in HDF5 through 1.12.0. A NULL pointer dereference exists in the function H5AC_unpin_entry() located in H5AC.c. It allows an attacker to cause Denial of Service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10810 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2020-10811 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in HDF5 through 1.12.0. A heap-based buffer over-read exists in the function H5O__layout_decode() located in H5Olayout.c. It allows an attacker to cause Denial of Service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10811 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2020-10812 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in HDF5 through 1.12.0. A NULL pointer dereference exists in the function H5F_get_nrefs() located in H5Fquery.c. It allows an attacker to cause Denial of Service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10812 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2020-18232 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in function H5S_close in H5S.c in HDF5 1.10.4 allows remote attackers to run arbitrary code via creation of crafted file. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-18232 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2020-18494 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in function H5S_close in H5S.c in HDF5 1.10.4 allows remote attackers to run arbitrary code via creation of crafted file. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-18494 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2021-37501 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in HDFGroup hdf5-h5dump 1.12.0 through 1.13.0 allows attackers to cause a denial of service via h5tools_str_sprint in /hdf5/tools/lib/h5tools_str.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-37501 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2021-45829 CVE STATUS: Patched CVE SUMMARY: HDF5 1.13.1-1 is affected by: segmentation fault, which causes a Denial of Service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45829 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2021-45830 CVE STATUS: Patched CVE SUMMARY: A heap-based buffer overflow vulnerability exists in HDF5 1.13.1-1 via H5F_addr_decode_len in /hdf5/src/H5Fint.c, which could cause a Denial of Service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45830 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2021-45832 CVE STATUS: Patched CVE SUMMARY: A Stack-based Buffer Overflow Vulnerability exists in HDF5 1.13.1-1 at at hdf5/src/H5Eint.c, which causes a Denial of Service (context-dependent). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45832 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2021-45833 CVE STATUS: Patched CVE SUMMARY: A Stack-based Buffer Overflow Vulnerability exists in HDF5 1.13.1-1 via the H5D__create_chunk_file_map_hyper function in /hdf5/src/H5Dchunk.c, which causes a Denial of Service (context-dependent). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45833 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2021-46242 CVE STATUS: Patched CVE SUMMARY: HDF5 v1.13.1-1 was discovered to contain a heap-use-after free via the component H5AC_unpin_entry. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46242 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2021-46243 CVE STATUS: Patched CVE SUMMARY: An untrusted pointer dereference vulnerability exists in HDF5 v1.13.1-1 via the function H5O__dtype_decode_helper () at hdf5/src/H5Odtype.c. This vulnerability can lead to a Denial of Service (DoS). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46243 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2021-46244 CVE STATUS: Patched CVE SUMMARY: A Divide By Zero vulnerability exists in HDF5 v1.13.1-1 vis the function H5T__complete_copy () at /hdf5/src/H5T.c. This vulnerability causes an aritmetic exception, leading to a Denial of Service (DoS). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46244 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2022-25942 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds read vulnerability exists in the gif2h5 functionality of HDF5 Group libhdf5 1.10.4. A specially-crafted GIF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25942 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2022-25972 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds write vulnerability exists in the gif2h5 functionality of HDF5 Group libhdf5 1.10.4. A specially-crafted GIF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25972 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2022-26061 CVE STATUS: Patched CVE SUMMARY: A heap-based buffer overflow vulnerability exists in the gif2h5 functionality of HDF5 Group libhdf5 1.10.4. A specially-crafted GIF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26061 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-29157 CVE STATUS: Patched CVE SUMMARY: HDF5 through 1.14.3 contains a heap buffer overflow in H5HG_read, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-29157 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-29158 CVE STATUS: Patched CVE SUMMARY: HDF5 through 1.14.3 contains a stack buffer overflow in H5FL_arr_malloc, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-29158 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-29159 CVE STATUS: Patched CVE SUMMARY: HDF5 through 1.14.3 contains a buffer overflow in H5Z__filter_scaleoffset, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-29159 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-29160 CVE STATUS: Patched CVE SUMMARY: HDF5 through 1.14.3 contains a heap buffer overflow in H5HG__cache_heap_deserialize, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-29160 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-29161 CVE STATUS: Patched CVE SUMMARY: HDF5 through 1.14.3 contains a heap buffer overflow in H5A__attr_release_table, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-29161 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-29162 CVE STATUS: Patched CVE SUMMARY: HDF5 through 1.13.3 and/or 1.14.2 contains a stack buffer overflow in H5HG_read, resulting in denial of service or potential code execution. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-29162 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-29163 CVE STATUS: Patched CVE SUMMARY: HDF5 through 1.14.3 contains a heap buffer overflow in H5T__bit_find, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-29163 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-29164 CVE STATUS: Patched CVE SUMMARY: HDF5 through 1.14.3 contains a stack buffer overflow in H5R__decode_heap, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-29164 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-29165 CVE STATUS: Patched CVE SUMMARY: HDF5 through 1.14.3 contains a buffer overflow in H5Z__filter_fletcher32, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-29165 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-29166 CVE STATUS: Patched CVE SUMMARY: HDF5 through 1.14.3 contains a buffer overflow in H5O__linfo_decode, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-29166 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-32605 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 has a heap-based buffer over-read in H5VM_memcpyvv in H5VM.c (called from H5D__compact_readvv in H5Dcompact.c). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32605 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-32606 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 may attempt to dereference uninitialized values in h5tools_str_sprint in tools/lib/h5tools_str.c (called from h5tools_dump_simple_data in tools/lib/h5tools_dump.c). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32606 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-32607 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 has a SEGV in H5A__close in H5Aint.c, resulting in the corruption of the instruction pointer. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32607 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-32608 CVE STATUS: Patched CVE SUMMARY: HDF5 library through 1.14.3 has memory corruption in H5A__close resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32608 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-32609 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 allows stack consumption in the function H5E_printf_stack in H5Eint.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32609 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-32610 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 has a SEGV in H5T_close_real in H5T.c, resulting in a corrupted instruction pointer. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32610 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-32611 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 may use an uninitialized value in H5A__attr_release_table in H5Aint.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32611 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-32612 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 contains a heap-based buffer over-read in H5HL__fl_deserialize in H5HLcache.c, resulting in the corruption of the instruction pointer, a different vulnerability than CVE-2024-32613. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32612 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-32613 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 contains a heap-based buffer over-read in the function H5HL__fl_deserialize in H5HLcache.c, a different vulnerability than CVE-2024-32612. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32613 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-32614 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 has a SEGV in H5VM_memcpyvv in H5VM.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32614 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-32615 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5Z__nbit_decompress_one_byte in H5Znbit.c, caused by the earlier use of an initialized pointer. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32615 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-32616 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 contains a heap-based buffer over-read in H5O__dtype_encode_helper in H5Odtype.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32616 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-32617 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 contains a heap-based buffer over-read caused by the unsafe use of strdup in H5MM_xstrdup in H5MM.c (called from H5G__ent_to_link in H5Glink.c). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32617 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-32618 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5T__get_native_type in H5Tnative.c, resulting in the corruption of the instruction pointer. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32618 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-32619 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5T_copy_reopen in H5T.c, resulting in the corruption of the instruction pointer. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32619 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-32620 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 contains a heap-based buffer over-read in H5F_addr_decode_len in H5Fint.c, resulting in the corruption of the instruction pointer. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32620 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-32621 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5HG_read in H5HG.c (called from H5VL__native_blob_get in H5VLnative_blob.c), resulting in the corruption of the instruction pointer. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32621 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-32622 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 contains a out-of-bounds read operation in H5FL_arr_malloc in H5FL.c (called from H5S_set_extent_simple in H5S.c). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32622 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-32623 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5VM_array_fill in H5VM.c (called from H5S_select_elements in H5Spoint.c). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32623 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-32624 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5T__ref_mem_setnull in H5Tref.c (called from H5T__conv_ref in H5Tconv.c), resulting in the corruption of the instruction pointer. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32624 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-33873 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 has a heap-based buffer overflow in H5D__scatter_mem in H5Dscatgath.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-33873 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-33874 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 has a heap buffer overflow in H5O__mtime_new_encode in H5Omtime.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-33874 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-33875 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 has a heap-based buffer overflow in H5O__layout_encode in H5Olayout.c, resulting in the corruption of the instruction pointer. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-33875 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-33876 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 has a heap buffer overflow in H5S__point_deserialize in H5Spoint.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-33876 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2024-33877 CVE STATUS: Patched CVE SUMMARY: HDF5 Library through 1.14.3 has a heap-based buffer overflow in H5T__conv_struct_opt in H5Tconv.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-33877 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-2153 CVE STATUS: Patched CVE SUMMARY: A vulnerability, which was classified as critical, was found in HDF5 1.14.6. Affected is the function H5SM_delete of the file H5SM.c of the component h5 File Handler. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 5.0 CVSS v4 BASE SCORE: 2.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-2153 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-2308 CVE STATUS: Patched CVE SUMMARY: A vulnerability, which was classified as critical, was found in HDF5 1.14.6. This affects the function H5Z__scaleoffset_decompress_one_byte of the component Scale-Offset Filter. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor plans to fix this issue in an upcoming release. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 4.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-2308 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-2309 CVE STATUS: Patched CVE SUMMARY: A vulnerability has been found in HDF5 1.14.6 and classified as critical. This vulnerability affects the function H5T__bit_copy of the component Type Conversion Logic. The manipulation leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor plans to fix this issue in an upcoming release. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 4.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-2309 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-2310 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in HDF5 1.14.6 and classified as critical. This issue affects the function H5MM_strndup of the component Metadata Attribute Decoder. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The vendor plans to fix this issue in an upcoming release. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 4.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-2310 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-2912 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in HDF5 up to 1.14.6. It has been declared as problematic. Affected by this vulnerability is the function H5O_msg_flush of the file src/H5Omessage.c. The manipulation of the argument oh leads to heap-based buffer overflow. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-2912 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-2913 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in HDF5 up to 1.14.6. It has been rated as critical. Affected by this issue is the function H5FL__blk_gc_list of the file src/H5FL.c. The manipulation of the argument H5FL_blk_head_t leads to use after free. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-2913 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-2914 CVE STATUS: Patched CVE SUMMARY: A vulnerability classified as problematic has been found in HDF5 up to 1.14.6. This affects the function H5FS__sinfo_Srialize_Sct_cb of the file src/H5FScache.c. The manipulation of the argument sect leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-2914 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-2915 CVE STATUS: Patched CVE SUMMARY: A vulnerability classified as problematic was found in HDF5 up to 1.14.6. This vulnerability affects the function H5F__accum_free of the file src/H5Faccum.c. The manipulation of the argument overlap_size leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-2915 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-2923 CVE STATUS: Patched CVE SUMMARY: A vulnerability, which was classified as problematic, has been found in HDF5 up to 1.14.6. Affected by this issue is the function H5F_addr_encode_len of the file src/H5Fint.c. The manipulation of the argument pp leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-2923 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-2924 CVE STATUS: Patched CVE SUMMARY: A vulnerability, which was classified as problematic, was found in HDF5 up to 1.14.6. This affects the function H5HL__fl_deserialize of the file src/H5HLcache.c. The manipulation of the argument free_block leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-2924 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-2925 CVE STATUS: Patched CVE SUMMARY: A vulnerability has been found in HDF5 up to 1.14.6 and classified as problematic. This vulnerability affects the function H5MM_realloc of the file src/H5MM.c. The manipulation of the argument mem leads to double free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-2925 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-2926 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in HDF5 up to 1.14.6 and classified as problematic. This issue affects the function H5O__cache_chk_serialize of the file src/H5Ocache.c. The manipulation leads to null pointer dereference. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-2926 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-44904 CVE STATUS: Patched CVE SUMMARY: hdf5 v1.14.6 was discovered to contain a heap buffer overflow via the H5VM_memcpyvv function. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-44904 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-44905 CVE STATUS: Patched CVE SUMMARY: hdf5 v1.14.6 was discovered to contain a heap buffer overflow via the H5Z__filter_scaleoffset function. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-44905 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-6269 CVE STATUS: Patched CVE SUMMARY: A vulnerability classified as critical was found in HDF5 up to 1.14.6. Affected by this vulnerability is the function H5C__reconstruct_cache_entry of the file H5Cimage.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-6269 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-6270 CVE STATUS: Patched CVE SUMMARY: A vulnerability, which was classified as critical, has been found in HDF5 up to 1.14.6. Affected by this issue is the function H5FS__sect_find_node of the file H5FSsection.c. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-6270 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-6516 CVE STATUS: Patched CVE SUMMARY: A vulnerability has been found in HDF5 up to 1.14.6 and classified as critical. This vulnerability affects the function H5F_addr_decode_len of the file /hdf5/src/H5Fint.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-6516 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-6750 CVE STATUS: Patched CVE SUMMARY: A vulnerability, which was classified as problematic, has been found in HDF5 1.14.6. Affected by this issue is the function H5O__mtime_new_encode of the file src/H5Omtime.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-6750 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-6816 CVE STATUS: Patched CVE SUMMARY: A vulnerability classified as problematic was found in HDF5 1.14.6. This vulnerability affects the function H5O__fsinfo_encode of the file /src/H5Ofsinfo.c. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-6816 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-6817 CVE STATUS: Patched CVE SUMMARY: A vulnerability, which was classified as problematic, has been found in HDF5 1.14.6. This issue affects the function H5C__load_entry of the file /src/H5Centry.c. The manipulation leads to resource consumption. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-6817 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-6818 CVE STATUS: Patched CVE SUMMARY: A vulnerability, which was classified as problematic, was found in HDF5 1.14.6. Affected is the function H5O__chunk_protect of the file /src/H5Ochunk.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-6818 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-6856 CVE STATUS: Patched CVE SUMMARY: A vulnerability, which was classified as problematic, was found in HDF5 1.14.6. Affected is the function H5FL__reg_gc_list of the file src/H5FL.c. The manipulation leads to use after free. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-6856 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-6857 CVE STATUS: Patched CVE SUMMARY: A vulnerability has been found in HDF5 1.14.6 and classified as problematic. Affected by this vulnerability is the function H5G__node_cmp3 of the file src/H5Gnode.c. The manipulation leads to stack-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-6857 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-6858 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in HDF5 1.14.6 and classified as problematic. Affected by this issue is the function H5C__flush_single_entry of the file src/H5Centry.c. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-6858 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-7067 CVE STATUS: Patched CVE SUMMARY: A vulnerability classified as problematic was found in HDF5 1.14.6. This vulnerability affects the function H5FS__sinfo_serialize_node_cb of the file src/H5FScache.c. The manipulation leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-7067 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-7068 CVE STATUS: Patched CVE SUMMARY: A vulnerability, which was classified as problematic, has been found in HDF5 1.14.6. This issue affects the function H5FL__malloc of the file src/H5FL.c. The manipulation leads to memory leak. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-7068 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2025-7069 CVE STATUS: Patched CVE SUMMARY: A vulnerability, which was classified as problematic, was found in HDF5 1.14.6. Affected is the function H5FS__sect_link_size of the file src/H5FSsection.c. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-7069 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2026-26200 CVE STATUS: Patched CVE SUMMARY: HDF5 is software for managing data. Prior to version 1.14.4-2, an attacker who can control an `h5` file parsed by HDF5 can trigger a write-based heap buffer overflow condition. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on the practical exploitability of the heap overflow against modern operating systems. Real-world exploitability of this issue in terms of remote-code execution is currently unknown. Version 1.14.4-2 fixes the issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-26200 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2026-29043 CVE STATUS: Patched CVE SUMMARY: HDF5 is software for managing data. In 1.14.1-2 and earlier, an attacker who can control an h5 file parsed by HDF5 can trigger a write-based heap buffer overflow condition in the H5T__ref_mem_setnull method. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on the practical exploitability of the heap overflow against modern operating systems. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-29043 LAYER: meta-oe PACKAGE NAME: hdf5 PACKAGE VERSION: 1.14.4-3 CVE: CVE-2026-34734 CVE STATUS: Patched CVE SUMMARY: HDF5 is software for managing data. In 1.14.1-2 and earlier, a heap-use-after-free was found in the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger a heap use-after-free. The freed object is referenced in a memmove call from H5T__conv_struct. The original object was allocated by H5D__typeinfo_init_phase3 and freed by H5D__typeinfo_term. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-34734 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2000-0973 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in curl earlier than 6.0-1.1, and curl-ssl earlier than 6.0-1.2, allows remote attackers to execute arbitrary commands by forcing a long error message to be generated. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0973 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2003-1605 CVE STATUS: Patched CVE SUMMARY: curl 7.x before 7.10.7 sends CONNECT proxy credentials to the remote server. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-1605 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2005-0490 CVE STATUS: Patched CVE SUMMARY: Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0490 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2005-3185 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the ntlm_output function in http-ntlm.c for (1) wget 1.10, (2) curl 7.13.2, and (3) libcurl 7.13.2, and other products that use libcurl, when NTLM authentication is enabled, allows remote servers to execute arbitrary code via a long NTLM username. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3185 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2005-4077 CVE STATUS: Patched CVE SUMMARY: Multiple off-by-one errors in the cURL library (libcurl) 7.11.2 through 7.15.0 allow local users to trigger a buffer overflow and cause a denial of service or bypass PHP security restrictions via certain URLs that (1) are malformed in a way that prevents a terminating null byte from being added to either a hostname or path buffer, or (2) contain a "?" separator in the hostname portion, which causes a "/" to be prepended to the resulting string. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4077 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2006-1061 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows remote attackers to execute arbitrary commands via a TFTP URL (tftp://) with a valid hostname and a long path. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1061 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2007-3564 CVE STATUS: Patched CVE SUMMARY: libcurl 7.14.0 through 7.16.3, when built with GnuTLS support, does not check SSL/TLS certificate expiration or activation dates, which allows remote attackers to bypass certain access restrictions. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3564 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2009-0037 CVE STATUS: Patched CVE SUMMARY: The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0037 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2009-2417 CVE STATUS: Patched CVE SUMMARY: lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2417 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2010-0734 CVE STATUS: Patched CVE SUMMARY: content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0734 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2010-3842 CVE STATUS: Patched CVE SUMMARY: Absolute path traversal vulnerability in curl 7.20.0 through 7.21.1, when the --remote-header-name or -J option is used, allows remote servers to create or overwrite arbitrary files by using \ (backslash) as a separator of path components within the Content-disposition HTTP header. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3842 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2011-2192 CVE STATUS: Patched CVE SUMMARY: The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2192 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2011-3389 CVE STATUS: Patched CVE SUMMARY: The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3389 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2012-0036 CVE STATUS: Patched CVE SUMMARY: curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0036 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2013-0249 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0249 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2013-1944 CVE STATUS: Patched CVE SUMMARY: The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1944 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2013-2174 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a "%" (percent) character. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2174 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2013-4545 CVE STATUS: Patched CVE SUMMARY: cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4545 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2013-6422 CVE STATUS: Patched CVE SUMMARY: The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6422 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2014-0015 CVE STATUS: Patched CVE SUMMARY: cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0015 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2014-0138 CVE STATUS: Patched CVE SUMMARY: The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0138 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2014-0139 CVE STATUS: Patched CVE SUMMARY: cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0139 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2014-2522 CVE STATUS: Patched CVE SUMMARY: curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2522 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2014-3613 CVE STATUS: Patched CVE SUMMARY: cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3613 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2014-3620 CVE STATUS: Patched CVE SUMMARY: cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3620 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2014-3707 CVE STATUS: Patched CVE SUMMARY: The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3707 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2014-8150 CVE STATUS: Patched CVE SUMMARY: CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8150 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2014-8151 CVE STATUS: Patched CVE SUMMARY: The darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL (aka SecureTransport) back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8151 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2015-3143 CVE STATUS: Patched CVE SUMMARY: cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3143 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2015-3144 CVE STATUS: Patched CVE SUMMARY: The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "http://:80" and ":80." CVSS v2 BASE SCORE: 9.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3144 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2015-3145 CVE STATUS: Patched CVE SUMMARY: The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly have other unspecified impact via a cookie path containing only a double-quote character. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3145 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2015-3148 CVE STATUS: Patched CVE SUMMARY: cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3148 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2015-3153 CVE STATUS: Patched CVE SUMMARY: The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3153 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2015-3236 CVE STATUS: Patched CVE SUMMARY: cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous connection when reusing a reset (curl_easy_reset) connection handle to send a request to the same host name, which allows remote attackers to obtain sensitive information via unspecified vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3236 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2015-3237 CVE STATUS: Patched CVE SUMMARY: The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers to obtain sensitive information from memory or cause a denial of service (out-of-bounds read and crash) via crafted length and offset values. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3237 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-0754 CVE STATUS: Patched CVE SUMMARY: cURL before 7.47.0 on Windows allows attackers to write to arbitrary files in the current working directory on a different drive via a colon in a remote file name. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0754 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-0755 CVE STATUS: Patched CVE SUMMARY: The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0755 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-3739 CVE STATUS: Patched CVE SUMMARY: The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3739 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-4606 CVE STATUS: Patched CVE SUMMARY: Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4606 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-4802 CVE STATUS: Patched CVE SUMMARY: Multiple untrusted search path vulnerabilities in cURL and libcurl before 7.49.1, when built with SSPI or telnet is enabled, allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) security.dll, (2) secur32.dll, or (3) ws2_32.dll in the application or current working directory. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4802 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-5419 CVE STATUS: Patched CVE SUMMARY: curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5419 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-5420 CVE STATUS: Patched CVE SUMMARY: curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5420 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-5421 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5421 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-7141 CVE STATUS: Patched CVE SUMMARY: curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7141 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-7167 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7167 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8615 CVE STATUS: Patched CVE SUMMARY: A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8615 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8616 CVE STATUS: Patched CVE SUMMARY: A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8616 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8617 CVE STATUS: Patched CVE SUMMARY: The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8617 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8618 CVE STATUS: Patched CVE SUMMARY: The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8618 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8619 CVE STATUS: Patched CVE SUMMARY: The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8619 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8620 CVE STATUS: Patched CVE SUMMARY: The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and out-of-bounds read via user controlled input. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8620 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8621 CVE STATUS: Patched CVE SUMMARY: The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8621 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8622 CVE STATUS: Patched CVE SUMMARY: The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8622 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8623 CVE STATUS: Patched CVE SUMMARY: A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8623 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8624 CVE STATUS: Patched CVE SUMMARY: curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8624 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-8625 CVE STATUS: Patched CVE SUMMARY: curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8625 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-9586 CVE STATUS: Patched CVE SUMMARY: curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9586 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-9594 CVE STATUS: Patched CVE SUMMARY: curl before version 7.52.1 is vulnerable to an uninitialized random in libcurl's internal function that returns a good 32bit random value. Having a weak or virtually non-existent random value makes the operations that use it vulnerable. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9594 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-9952 CVE STATUS: Patched CVE SUMMARY: The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, makes it easier for remote attackers to conduct man-in-the-middle attacks via a crafted wildcard SAN in a server certificate, as demonstrated by "*.com." CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9952 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2016-9953 CVE STATUS: Patched CVE SUMMARY: The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly have unspecified other impact via a wildcard certificate name, which triggers an out-of-bounds read. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9953 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-1000099 CVE STATUS: Patched CVE SUMMARY: When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000099 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-1000100 CVE STATUS: Patched CVE SUMMARY: When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000100 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-1000101 CVE STATUS: Patched CVE SUMMARY: curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be `http://ur%20[0-60000000000000000000`. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000101 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-1000254 CVE STATUS: Patched CVE SUMMARY: libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000254 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-1000257 CVE STATUS: Patched CVE SUMMARY: An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000257 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-2628 CVE STATUS: Patched CVE SUMMARY: curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2628 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-2629 CVE STATUS: Patched CVE SUMMARY: curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status). CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2629 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-7407 CVE STATUS: Patched CVE SUMMARY: The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 2.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7407 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-7468 CVE STATUS: Patched CVE SUMMARY: In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster. This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 4.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7468 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-8816 CVE STATUS: Patched CVE SUMMARY: The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8816 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-8817 CVE STATUS: Patched CVE SUMMARY: The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8817 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-8818 CVE STATUS: Patched CVE SUMMARY: curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact because too little memory is allocated for interfacing to an SSL library. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8818 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2017-9502 CVE STATUS: Patched CVE SUMMARY: In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given "URL" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string "file://"). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9502 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-0500 CVE STATUS: Patched CVE SUMMARY: Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that might be exploitable by an attacker who can control the data that curl transmits over SMTP with certain settings (i.e., use of a nonstandard --limit-rate argument or CURLOPT_BUFFERSIZE value). CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0500 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-1000005 CVE STATUS: Patched CVE SUMMARY: libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000005 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-1000007 CVE STATUS: Patched CVE SUMMARY: libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequent hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000007 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-1000120 CVE STATUS: Patched CVE SUMMARY: A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000120 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-1000121 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference exists in curl 7.21.0 to and including curl 7.58.0 in the LDAP code that allows an attacker to cause a denial of service CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000121 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-1000122 CVE STATUS: Patched CVE SUMMARY: A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000122 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-1000300 CVE STATUS: Patched CVE SUMMARY: curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more that can result in curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.. This vulnerability appears to have been fixed in curl < 7.54.1 and curl >= 7.60.0. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000300 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-1000301 CVE STATUS: Patched CVE SUMMARY: curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000301 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-14618 CVE STATUS: Patched CVE SUMMARY: curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.) CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14618 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-16839 CVE STATUS: Patched CVE SUMMARY: Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16839 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-16840 CVE STATUS: Patched CVE SUMMARY: A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16840 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-16842 CVE STATUS: Patched CVE SUMMARY: Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16842 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2018-16890 CVE STATUS: Patched CVE SUMMARY: libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16890 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2019-3822 CVE STATUS: Patched CVE SUMMARY: libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3822 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2019-3823 CVE STATUS: Patched CVE SUMMARY: libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3823 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2019-5435 CVE STATUS: Patched CVE SUMMARY: An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5435 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2019-5436 CVE STATUS: Patched CVE SUMMARY: A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5436 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2019-5443 CVE STATUS: Patched CVE SUMMARY: A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. If that curl is invoked by a privileged user it can do anything it wants. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5443 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2019-5481 CVE STATUS: Patched CVE SUMMARY: Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5481 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2019-5482 CVE STATUS: Patched CVE SUMMARY: Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5482 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2020-19909 CVE STATUS: Patched CVE SUMMARY: Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large value as the retry delay. NOTE: many parties report that this has no direct security impact on the curl user; however, it may (in theory) cause a denial of service to associated systems or networks if, for example, --retry-delay is misinterpreted as a value much smaller than what was intended. This is not especially plausible because the overflow only happens if the user was trying to specify that curl should wait weeks (or longer) before trying to recover from a transient error. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19909 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2020-8169 CVE STATUS: Patched CVE SUMMARY: curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8169 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2020-8177 CVE STATUS: Patched CVE SUMMARY: curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8177 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2020-8231 CVE STATUS: Patched CVE SUMMARY: Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8231 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2020-8284 CVE STATUS: Patched CVE SUMMARY: A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8284 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2020-8285 CVE STATUS: Patched CVE SUMMARY: curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8285 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2020-8286 CVE STATUS: Patched CVE SUMMARY: curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8286 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22876 CVE STATUS: Patched CVE SUMMARY: curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22876 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22890 CVE STATUS: Patched CVE SUMMARY: curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22890 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22897 CVE STATUS: Patched CVE SUMMARY: curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22897 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22898 CVE STATUS: Patched CVE SUMMARY: curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 3.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22898 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22901 CVE STATUS: Patched CVE SUMMARY: curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22901 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22922 CVE STATUS: Patched CVE SUMMARY: When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22922 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22923 CVE STATUS: Patched CVE SUMMARY: When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22923 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22924 CVE STATUS: Patched CVE SUMMARY: libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22924 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22925 CVE STATUS: Patched CVE SUMMARY: curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22925 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22926 CVE STATUS: Patched CVE SUMMARY: libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert` with the command line tool).When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same option. If the name exists as a file, it will be used instead of by name.If the appliction runs with a current working directory that is writable by other users (like `/tmp`), a malicious user can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22926 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22945 CVE STATUS: Patched CVE SUMMARY: When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22945 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22946 CVE STATUS: Patched CVE SUMMARY: A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22946 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2021-22947 CVE STATUS: Patched CVE SUMMARY: When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22947 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-22576 CVE STATUS: Patched CVE SUMMARY: An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). CVSS v2 BASE SCORE: 5.5 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22576 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-27774 CVE STATUS: Patched CVE SUMMARY: An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers. CVSS v2 BASE SCORE: 3.5 CVSS v3 BASE SCORE: 5.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27774 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-27775 CVE STATUS: Patched CVE SUMMARY: An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27775 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-27776 CVE STATUS: Patched CVE SUMMARY: A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27776 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-27778 CVE STATUS: Patched CVE SUMMARY: A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27778 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-27779 CVE STATUS: Patched CVE SUMMARY: libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27779 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-27780 CVE STATUS: Patched CVE SUMMARY: The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27780 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-27781 CVE STATUS: Patched CVE SUMMARY: libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27781 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-27782 CVE STATUS: Patched CVE SUMMARY: libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27782 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-30115 CVE STATUS: Patched CVE SUMMARY: Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30115 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-32205 CVE STATUS: Patched CVE SUMMARY: A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32205 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-32206 CVE STATUS: Patched CVE SUMMARY: curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32206 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-32207 CVE STATUS: Patched CVE SUMMARY: When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32207 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-32208 CVE STATUS: Patched CVE SUMMARY: When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32208 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-32221 CVE STATUS: Patched CVE SUMMARY: When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32221 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-35252 CVE STATUS: Patched CVE SUMMARY: When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-35252 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-35260 CVE STATUS: Patched CVE SUMMARY: curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-35260 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-42915 CVE STATUS: Patched CVE SUMMARY: curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42915 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-42916 CVE STATUS: Patched CVE SUMMARY: In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42916 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-43551 CVE STATUS: Patched CVE SUMMARY: A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43551 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2022-43552 CVE STATUS: Patched CVE SUMMARY: A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43552 LAYER: meta PACKAGE NAME: curl PACKAGE VERSION: 8.7.1 CVE: CVE-2023-23914 CVE STATUS: Patched CVE SUMMARY: A cleartext transmission of sensitive information vulnerability exists in curl ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-45582 LAYER: meta PACKAGE NAME: tar PACKAGE VERSION: 1.35 CVE: CVE-2026-5704 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5704 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2014-0172 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the check_section function in dwarf_begin_elf.c in the libdw library, as used in elfutils 0.153 and possibly through 0.158 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed compressed debug section in an ELF file, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0172 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2014-9447 CVE STATUS: Patched CVE SUMMARY: Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9447 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2016-10254 CVE STATUS: Patched CVE SUMMARY: The allocate_elf function in common.h in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted ELF file, which triggers a memory allocation failure. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10254 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2016-10255 CVE STATUS: Patched CVE SUMMARY: The __libelf_set_rawdata_wrlock function in elf_getdata.c in elfutils before 0.168 allows remote attackers to cause a denial of service (crash) via a crafted (1) sh_off or (2) sh_size ELF header value, which triggers a memory allocation failure. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10255 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2017-7607 CVE STATUS: Patched CVE SUMMARY: The handle_gnu_hash function in readelf.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7607 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2017-7608 CVE STATUS: Patched CVE SUMMARY: The ebl_object_note_type_name function in eblobjnotetypename.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7608 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2017-7609 CVE STATUS: Patched CVE SUMMARY: elf_compress.c in elfutils 0.168 does not validate the zlib compression factor, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7609 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2017-7610 CVE STATUS: Patched CVE SUMMARY: The check_group function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7610 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2017-7611 CVE STATUS: Patched CVE SUMMARY: The check_symtab_shndx function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7611 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2017-7612 CVE STATUS: Patched CVE SUMMARY: The check_sysv_hash function in elflint.c in elfutils 0.168 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted ELF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7612 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2017-7613 CVE STATUS: Patched CVE SUMMARY: elflint.c in elfutils 0.168 does not validate the number of sections and the number of segments, which allows remote attackers to cause a denial of service (memory consumption) via a crafted ELF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7613 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2018-16062 CVE STATUS: Patched CVE SUMMARY: dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16062 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2018-16402 CVE STATUS: Patched CVE SUMMARY: libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16402 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2018-16403 CVE STATUS: Patched CVE SUMMARY: libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16403 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2018-18310 CVE STATUS: Patched CVE SUMMARY: An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18310 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2018-18520 CVE STATUS: Patched CVE SUMMARY: An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18520 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2018-18521 CVE STATUS: Patched CVE SUMMARY: Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18521 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2018-8769 CVE STATUS: Patched CVE SUMMARY: elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8769 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2019-7146 CVE STATUS: Patched CVE SUMMARY: In elfutils 0.175, there is a buffer over-read in the ebl_object_note function in eblobjnote.c in libebl. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted elf file, as demonstrated by eu-readelf. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7146 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2019-7148 CVE STATUS: Patched CVE SUMMARY: An attempted excessive memory allocation was discovered in the function read_long_names in elf_begin.c in libelf in elfutils 0.174. Remote attackers could leverage this vulnerability to cause a denial-of-service via crafted elf input, which leads to an out-of-memory exception. NOTE: The maintainers believe this is not a real issue, but instead a "warning caused by ASAN because the allocation is big. By setting ASAN_OPTIONS=allocator_may_return_null=1 and running the reproducer, nothing happens." CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7148 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2019-7149 CVE STATUS: Patched CVE SUMMARY: A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7149 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2019-7150 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7150 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2019-7664 CVE STATUS: Patched CVE SUMMARY: In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7664 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2019-7665 CVE STATUS: Patched CVE SUMMARY: In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7665 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2020-21047 CVE STATUS: Patched CVE SUMMARY: The libcpu component which is used by libasm of elfutils version 0.177 (git 47780c9e), suffers from denial-of-service vulnerability caused by application crashes due to out-of-bounds write (CWE-787), off-by-one error (CWE-193) and reachable assertion (CWE-617); to exploit the vulnerability, the attackers need to craft certain ELF files which bypass the missing bound checks. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21047 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2021-33294 CVE STATUS: Patched CVE SUMMARY: In elfutils 0.183, an infinite loop was found in the function handle_symtab in readelf.c .Which allows attackers to cause a denial of service (infinite loop) via crafted file. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33294 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2024-25260 CVE STATUS: Patched CVE SUMMARY: elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-25260 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2025-1352 CVE STATUS: Patched CVE SUMMARY: A vulnerability has been found in GNU elfutils 0.192 and classified as critical. This vulnerability affects the function __libdw_thread_tail in the library libdw_alloc.c of the component eu-readelf. The manipulation of the argument w leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 5.0 CVSS v4 BASE SCORE: 2.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-1352 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2025-1365 CVE STATUS: Patched CVE SUMMARY: A vulnerability, which was classified as critical, was found in GNU elfutils 0.192. This affects the function process_symtab of the file readelf.c of the component eu-readelf. The manipulation of the argument D/a leads to buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 5e5c0394d82c53e97750fe7b18023e6f84157b81. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 4.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-1365 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2025-1371 CVE STATUS: Patched CVE SUMMARY: A vulnerability has been found in GNU elfutils 0.192 and classified as problematic. This vulnerability affects the function handle_dynamic_symtab of the file readelf.c of the component eu-read. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is identified as b38e562a4c907e08171c76b8b2def8464d5a104a. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 4.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-1371 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2025-1372 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in GNU elfutils 0.192. It has been declared as critical. Affected by this vulnerability is the function dump_data_section/print_string_section of the file readelf.c of the component eu-readelf. The manipulation of the argument z/x leads to buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 73db9d2021cab9e23fd734b0a76a612d52a6f1db. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 4.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-1372 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2025-1376 CVE STATUS: Patched CVE SUMMARY: A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 1.0 CVSS v3 BASE SCORE: 2.5 CVSS v4 BASE SCORE: 2.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-1376 LAYER: meta PACKAGE NAME: elfutils PACKAGE VERSION: 0.191 CVE: CVE-2025-1377 CVE STATUS: Patched CVE SUMMARY: A vulnerability, which was classified as problematic, has been found in GNU elfutils 0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the component eu-strip. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 4.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-1377 LAYER: meta PACKAGE NAME: gpgme PACKAGE VERSION: 1.23.2 CVE: CVE-2007-1263 CVE STATUS: Patched CVE SUMMARY: GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1263 LAYER: meta PACKAGE NAME: gpgme PACKAGE VERSION: 1.23.2 CVE: CVE-2014-3564 CVE STATUS: Patched CVE SUMMARY: Multiple heap-based buffer overflows in the status_handler function in (1) engine-gpgsm.c and (2) engine-uiserver.c in GPGME before 1.5.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to "different line lengths in a specific order." CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3564 LAYER: meta PACKAGE NAME: gpgme PACKAGE VERSION: 1.23.2 CVE: CVE-2020-8945 CVE STATUS: Patched CVE SUMMARY: The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code execution during GPG signature verification. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-8945 LAYER: meta PACKAGE NAME: systemtap PACKAGE VERSION: 5.0 CVE: CVE-2009-0784 CVE STATUS: Patched CVE SUMMARY: Race condition in the SystemTap stap tool 0.0.20080705 and 0.0.20090314 allows local users in the stapusr group to insert arbitrary SystemTap kernel modules and gain privileges via unknown vectors. CVSS v2 BASE SCORE: 6.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0784 LAYER: meta PACKAGE NAME: systemtap PACKAGE VERSION: 5.0 CVE: CVE-2009-2911 CVE STATUS: Patched CVE SUMMARY: SystemTap 1.0, when the --unprivileged option is used, does not properly restrict certain data sizes, which allows local users to (1) cause a denial of service or gain privileges via a print operation with a large number of arguments that trigger a kernel stack overflow, (2) cause a denial of service via crafted DWARF expressions that trigger a kernel stack frame overflow, or (3) cause a denial of service (infinite loop) via vectors that trigger creation of large unwind tables, related to Common Information Entry (CIE) and Call Frame Instruction (CFI) records. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2911 LAYER: meta PACKAGE NAME: systemtap PACKAGE VERSION: 5.0 CVE: CVE-2009-4273 CVE STATUS: Patched CVE SUMMARY: stap-server in SystemTap before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in stap command-line arguments in a request. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4273 LAYER: meta PACKAGE NAME: systemtap PACKAGE VERSION: 5.0 CVE: CVE-2010-0411 CVE STATUS: Patched CVE SUMMARY: Multiple integer signedness errors in the (1) __get_argv and (2) __get_compat_argv functions in tapset/aux_syscalls.stp in SystemTap 1.1 allow local users to cause a denial of service (script crash, or system crash or hang) via a process with a large number of arguments, leading to a buffer overflow. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0411 LAYER: meta PACKAGE NAME: systemtap PACKAGE VERSION: 5.0 CVE: CVE-2010-0412 CVE STATUS: Patched CVE SUMMARY: stap-server in SystemTap 1.1 does not properly restrict the value of the -B (aka BUILD) option, which allows attackers to have an unspecified impact via vectors associated with executing the make program, a different vulnerability than CVE-2009-4273. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0412 LAYER: meta PACKAGE NAME: systemtap PACKAGE VERSION: 5.0 CVE: CVE-2010-4170 CVE STATUS: Patched CVE SUMMARY: The staprun runtime tool in SystemTap 1.3 does not properly clear the environment before executing modprobe, which allows local users to gain privileges by setting the MODPROBE_OPTIONS environment variable to specify a malicious configuration file. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4170 LAYER: meta PACKAGE NAME: systemtap PACKAGE VERSION: 5.0 CVE: CVE-2010-4171 CVE STATUS: Patched CVE SUMMARY: The staprun runtime tool in SystemTap 1.3 does not verify that a module to unload was previously loaded by SystemTap, which allows local users to cause a denial of service (unloading of arbitrary kernel modules). CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4171 LAYER: meta PACKAGE NAME: systemtap PACKAGE VERSION: 5.0 CVE: CVE-2011-1769 CVE STATUS: Patched CVE SUMMARY: SystemTap 1.4 and earlier, when unprivileged (aka stapusr) mode is enabled, allows local users to cause a denial of service (divide-by-zero error and OOPS) via a crafted ELF program with DWARF expressions that are not properly handled by a stap script that performs context variable access. CVSS v2 BASE SCORE: 1.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1769 LAYER: meta PACKAGE NAME: systemtap PACKAGE VERSION: 5.0 CVE: CVE-2011-1781 CVE STATUS: Patched CVE SUMMARY: SystemTap 1.4, when unprivileged (aka stapusr) mode is enabled, allows local users to cause a denial of service (divide-by-zero error and OOPS) via a crafted ELF program with DWARF expressions that are not properly handled by a stap script that performs stack unwinding (aka backtracing). CVSS v2 BASE SCORE: 1.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1781 LAYER: meta PACKAGE NAME: systemtap PACKAGE VERSION: 5.0 CVE: CVE-2011-2502 CVE STATUS: Patched CVE SUMMARY: runtime/staprun/staprun_funcs.c in the systemtap runtime tool (staprun) in SystemTap before 1.6 does not properly validate modules when a module path is specified by a user for user-space probing, which allows local users in the stapusr group to gain privileges via a crafted module in the search path in the -u argument. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2502 LAYER: meta PACKAGE NAME: systemtap PACKAGE VERSION: 5.0 CVE: CVE-2011-2503 CVE STATUS: Patched CVE SUMMARY: The insert_module function in runtime/staprun/staprun_funcs.c in the systemtap runtime tool (staprun) in SystemTap before 1.6 does not properly validate a module when loading it, which allows local users to gain privileges via a race condition between the signature validation and the module initialization. CVSS v2 BASE SCORE: 3.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2503 LAYER: meta PACKAGE NAME: systemtap PACKAGE VERSION: 5.0 CVE: CVE-2012-0875 CVE STATUS: Patched CVE SUMMARY: SystemTap 1.7, 1.6.7, and probably other versions, when unprivileged mode is enabled, allows local users to obtain sensitive information from kernel memory or cause a denial of service (kernel panic and crash) via vectors related to crafted DWARF data, which triggers a read of an invalid pointer. CVSS v2 BASE SCORE: 5.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0875 LAYER: meta PACKAGE NAME: libxpm PACKAGE VERSION: 1_3.5.17 CVE: CVE-2016-10164 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in libXpm before 3.5.12, when a program requests parsing XPM extensions on a 64-bit platform, allow remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via (1) the number of extensions or (2) their concatenated length in a crafted XPM file, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10164 LAYER: meta PACKAGE NAME: libxpm PACKAGE VERSION: 1_3.5.17 CVE: CVE-2022-44617 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libXpm. When processing a file with width of 0 and a very large height, some parser functions will be called repeatedly and can lead to an infinite loop, resulting in a Denial of Service in the application linked to the library. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-44617 LAYER: meta PACKAGE NAME: libxpm PACKAGE VERSION: 1_3.5.17 CVE: CVE-2022-46285 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libXpm. This issue occurs when parsing a file with a comment not closed; the end-of-file condition will not be detected, leading to an infinite loop and resulting in a Denial of Service in the application linked to the library. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-46285 LAYER: meta PACKAGE NAME: libxpm PACKAGE VERSION: 1_3.5.17 CVE: CVE-2022-4883 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4883 LAYER: meta PACKAGE NAME: libxpm PACKAGE VERSION: 1_3.5.17 CVE: CVE-2023-43788 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in libXpm due to a boundary condition within the XpmCreateXpmImageFromBuffer() function. This flaw allows a local attacker to trigger an out-of-bounds read error and read the contents of memory on the system. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43788 LAYER: meta PACKAGE NAME: libxpm PACKAGE VERSION: 1_3.5.17 CVE: CVE-2023-43789 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in libXpm where a vulnerability exists due to a boundary condition, a local user can trigger an out-of-bounds read error and read contents of memory on the system. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43789 LAYER: meta PACKAGE NAME: orc PACKAGE VERSION: 0.4.40 CVE: CVE-2024-40897 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow vulnerability exists in orcparse.c of ORC versions prior to 0.4.39. If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer's build environment. This may lead to compromise of developer machines or CI build environments. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40897 LAYER: meta PACKAGE NAME: ofono PACKAGE VERSION: 2.4 CVE: CVE-2023-2794 CVE STATUS: Patched CVE SUMMARY: A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_deliver() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_deliver(). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2794 LAYER: meta PACKAGE NAME: ofono PACKAGE VERSION: 2.4 CVE: CVE-2023-4232 CVE STATUS: Patched CVE SUMMARY: A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_status_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_status_report(). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4232 LAYER: meta PACKAGE NAME: ofono PACKAGE VERSION: 2.4 CVE: CVE-2023-4233 CVE STATUS: Patched CVE SUMMARY: A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the sms_decode_address_field() function during the SMS PDU decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4233 LAYER: meta PACKAGE NAME: ofono PACKAGE VERSION: 2.4 CVE: CVE-2023-4234 CVE STATUS: Patched CVE SUMMARY: A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_submit_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_submit_report(). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4234 LAYER: meta PACKAGE NAME: ofono PACKAGE VERSION: 2.4 CVE: CVE-2023-4235 CVE STATUS: Patched CVE SUMMARY: A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_deliver_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_deliver_report(). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4235 LAYER: meta PACKAGE NAME: ofono PACKAGE VERSION: 2.4 CVE: CVE-2024-7537 CVE STATUS: Patched CVE SUMMARY: oFono QMI SMS Handling Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of SMS message lists. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23157. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7537 LAYER: meta PACKAGE NAME: ofono PACKAGE VERSION: 2.4 CVE: CVE-2024-7538 CVE STATUS: Patched CVE SUMMARY: oFono CUSD AT Command Stack-based Buffer Overflow Code Execution Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT Commands. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-23190. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7538 LAYER: meta PACKAGE NAME: ofono PACKAGE VERSION: 2.4 CVE: CVE-2024-7539 CVE STATUS: Patched CVE SUMMARY: oFono CUSD Stack-based Buffer Overflow Code Execution Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT+CUSD commands. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-23195. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7539 LAYER: meta PACKAGE NAME: ofono PACKAGE VERSION: 2.4 CVE: CVE-2024-7540 CVE STATUS: Patched CVE SUMMARY: oFono AT CMGL Command Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT+CMGL commands. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23307. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7540 LAYER: meta PACKAGE NAME: ofono PACKAGE VERSION: 2.4 CVE: CVE-2024-7541 CVE STATUS: Patched CVE SUMMARY: oFono AT CMT Command Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT+CMT commands. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23308. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7541 LAYER: meta PACKAGE NAME: ofono PACKAGE VERSION: 2.4 CVE: CVE-2024-7542 CVE STATUS: Patched CVE SUMMARY: oFono AT CMGR Command Uninitialized Variable Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT+CMGR commands. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-23309. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7542 LAYER: meta PACKAGE NAME: ofono PACKAGE VERSION: 2.4 CVE: CVE-2024-7543 CVE STATUS: Patched CVE SUMMARY: oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23456. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7543 LAYER: meta PACKAGE NAME: ofono PACKAGE VERSION: 2.4 CVE: CVE-2024-7544 CVE STATUS: Patched CVE SUMMARY: oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23457. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7544 LAYER: meta PACKAGE NAME: ofono PACKAGE VERSION: 2.4 CVE: CVE-2024-7545 CVE STATUS: Patched CVE SUMMARY: oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23458. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7545 LAYER: meta PACKAGE NAME: ofono PACKAGE VERSION: 2.4 CVE: CVE-2024-7546 CVE STATUS: Patched CVE SUMMARY: oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23459. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7546 LAYER: meta PACKAGE NAME: ofono PACKAGE VERSION: 2.4 CVE: CVE-2024-7547 CVE STATUS: Patched CVE SUMMARY: oFono SMS Decoder Stack-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of SMS PDUs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23460. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7547 LAYER: meta PACKAGE NAME: gmp PACKAGE VERSION: 6.3.0 CVE: CVE-2021-43618 CVE STATUS: Patched CVE SUMMARY: GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-43618 LAYER: meta PACKAGE NAME: python3-certifi PACKAGE VERSION: 2024.2.2 CVE: CVE-2024-39689 CVE STATUS: Patched CVE SUMMARY: Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues." CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39689 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2008-5516 CVE STATUS: Patched CVE SUMMARY: The web interface in git (gitweb) 1.5.x before 1.5.5 allows remote attackers to execute arbitrary commands via shell metacharacters related to git_search. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5516 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2010-2542 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the is_git_directory function in setup.c in Git before 1.7.2.1 allows local users to gain privileges via a long gitdir: field in a .git file in a working copy. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2542 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2010-3906 CVE STATUS: Patched CVE SUMMARY: Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) f and (2) fp parameters. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3906 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2013-0308 CVE STATUS: Patched CVE SUMMARY: The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0308 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2014-9390 CVE STATUS: Patched CVE SUMMARY: Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9390 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2014-9938 CVE STATUS: Patched CVE SUMMARY: contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9938 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2016-2315 CVE STATUS: Patched CVE SUMMARY: revision.c in git before 2.7.4 uses an incorrect integer data type, which allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, leading to a heap-based buffer overflow. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2315 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2016-2324 CVE STATUS: Patched CVE SUMMARY: Integer overflow in Git before 2.7.4 allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2324 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2017-1000117 CVE STATUS: Patched CVE SUMMARY: A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000117 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2017-14867 CVE STATUS: Patched CVE SUMMARY: Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support. CVSS v2 BASE SCORE: 9.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14867 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2017-15298 CVE STATUS: Patched CVE SUMMARY: Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, aka a Git bomb. This can also have an impact of disk consumption; however, an affected process typically would not survive its attempt to build the data structure in memory before writing to disk. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15298 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2018-1000021 CVE STATUS: Patched CVE SUMMARY: GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack). CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 5.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000021 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2018-11233 CVE STATUS: Patched CVE SUMMARY: In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11233 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2018-11235 CVE STATUS: Patched CVE SUMMARY: In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11235 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2018-17456 CVE STATUS: Patched CVE SUMMARY: Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17456 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2018-19486 CVE STATUS: Patched CVE SUMMARY: Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19486 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2019-1348 CVE STATUS: Patched CVE SUMMARY: An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1348 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2019-1353 CVE STATUS: Patched CVE SUMMARY: An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1353 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2019-1387 CVE STATUS: Patched CVE SUMMARY: An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1387 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2019-19604 CVE STATUS: Patched CVE SUMMARY: Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19604 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2020-11008 CVE STATUS: Patched CVE SUMMARY: Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching _any_ URL, and will return some unspecified stored password, leaking the password to an attacker's server. The vulnerability can be triggered by feeding a malicious URL to `git clone`. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The root of the problem is in Git itself, which should not be feeding blank input to helpers. However, the ability to exploit the vulnerability in practice depends on which helpers are in use. Credential helpers which are known to trigger the vulnerability: - Git's "store" helper - Git's "cache" helper - the "osxkeychain" helper that ships in Git's "contrib" directory Credential helpers which are known to be safe even with vulnerable versions of Git: - Git Credential Manager for Windows Any helper not in this list should be assumed to trigger the vulnerability. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 4.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11008 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2020-5260 CVE STATUS: Patched CVE SUMMARY: Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 9.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-5260 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2021-21300 CVE STATUS: Patched CVE SUMMARY: Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is therefore vulnerable. The problem has been patched in the versions published on Tuesday, March 9th, 2021. As a workaound, if symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. _before_ cloning), the attack is foiled. As always, it is best to avoid cloning repositories from untrusted sources. The earliest impacted version is 2.14.2. The fix versions are: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 8.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-21300 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2021-40330 CVE STATUS: Patched CVE SUMMARY: git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-40330 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2022-23521 CVE STATUS: Patched CVE SUMMARY: Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23521 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2022-24765 CVE STATUS: Patched CVE SUMMARY: Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\.git\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\Users` if the user profile is located in `C:\Users\my-user-name`. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24765 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2022-24975 CVE STATUS: Patched CVE SUMMARY: The --mirror documentation for Git through 2.35.1 does not mention the availability of deleted content, aka the "GitBleed" issue. This could present a security risk if information-disclosure auditing processes rely on a clone operation without the --mirror option. Note: This has been disputed by multiple 3rd parties who believe this is an intended feature of the git binary and does not pose a security risk. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24975 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2022-29187 CVE STATUS: Patched CVE SUMMARY: Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29187 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2022-39253 CVE STATUS: Patched CVE SUMMARY: Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-39253 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2022-39260 CVE STATUS: Patched CVE SUMMARY: Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-39260 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2022-41903 CVE STATUS: Patched CVE SUMMARY: Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41903 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2022-41953 CVE STATUS: Patched CVE SUMMARY: Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is available, Git GUI will automatically post-process it, among other things running a spell checker called `aspell.exe` if it was found. Git GUI is implemented as a Tcl/Tk script. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable _always includes the current directory_. Therefore, malicious repositories can ship with an `aspell.exe` in their top-level directory which is executed by Git GUI without giving the user a chance to inspect it first, i.e. running untrusted code. This issue has been addressed in version 2.39.1. Users are advised to upgrade. Users unable to upgrade should avoid using Git GUI for cloning. If that is not a viable option, at least avoid cloning from untrusted sources. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41953 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2023-22490 CVE STATUS: Patched CVE SUMMARY: Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source `$GIT_DIR/objects` directory contains symbolic links, the `objects` directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with `--recurse-submodules`. Instead, consider cloning repositories without recursively cloning their submodules, and instead run `git submodule update` at each layer. Before doing so, inspect each new `.gitmodules` file to ensure that it does not contain suspicious module URLs. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-22490 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2023-23946 CVE STATUS: Patched CVE SUMMARY: Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-23946 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2023-25652 CVE STATUS: Patched CVE SUMMARY: Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25652 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2023-29007 CVE STATUS: Patched CVE SUMMARY: Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29007 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2024-32004 CVE STATUS: Patched CVE SUMMARY: Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32004 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2024-32020 CVE STATUS: Patched CVE SUMMARY: Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a "proper" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32020 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2024-32021 CVE STATUS: Patched CVE SUMMARY: Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32021 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2024-32465 CVE STATUS: Patched CVE SUMMARY: Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: PHYSICAL VECTORSTRING: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32465 LAYER: meta PACKAGE NAME: git PACKAGE VERSION: 2.44.4 CVE: CVE-2025-48384 CVE STATUS: Patched CVE SUMMARY: Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-48384 LAYER: openembedded-layer PACKAGE NAME: linuxptp PACKAGE VERSION: 4.4 CVE: CVE-2021-3570 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. This flaw affects linuxptp versions before 3.1.1, before 2.0.1, before 1.9.3, before 1.8.1, before 1.7.1, before 1.6.1 and before 1.5.1. CVSS v2 BASE SCORE: 8.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3570 LAYER: openembedded-layer PACKAGE NAME: linuxptp PACKAGE VERSION: 4.4 CVE: CVE-2021-3571 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the ptp4l program of the linuxptp package. When ptp4l is operating on a little-endian architecture as a PTP transparent clock, a remote attacker could send a crafted one-step sync message to cause an information leak or crash. The highest threat from this vulnerability is to data confidentiality and system availability. This flaw affects linuxptp versions before 3.1.1 and before 2.0.1. CVSS v2 BASE SCORE: 5.5 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3571 LAYER: openembedded-layer PACKAGE NAME: linuxptp PACKAGE VERSION: 4.4 CVE: CVE-2024-42861 CVE STATUS: Patched CVE SUMMARY: An issue in IEEE 802.1AS linuxptp v.4.2 and before allowing a remote attacker to cause a denial of service via a crafted Pdelay_Req message to the time synchronization function CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-42861 LAYER: meta PACKAGE NAME: libinput PACKAGE VERSION: 1.25.0 CVE: CVE-2022-1215 CVE STATUS: Patched CVE SUMMARY: A format string vulnerability was found in libinput CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1215 LAYER: meta PACKAGE NAME: libinput PACKAGE VERSION: 1.25.0 CVE: CVE-2026-35093 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same permissions as the program using libinput, such as a graphical compositor. This could lead to the attacker monitoring keyboard input and sending that information to an external location. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-35093 LAYER: meta PACKAGE NAME: libinput PACKAGE VERSION: 1.25.0 CVE: CVE-2026-35094 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libinput. An attacker capable of deploying a Lua plugin file in specific system directories can exploit a dangling pointer vulnerability. This occurs when a garbage collection cleanup function is called, leaving a pointer that can then be printed to system logs. This could potentially expose sensitive data if the memory location is re-used, leading to information disclosure. For this exploit to work, Lua plugins must be enabled in libinput and loaded by the compositor. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-35094 LAYER: meta PACKAGE NAME: libinput PACKAGE VERSION: 1.25.0 CVE: CVE-2026-50292 CVE STATUS: Unpatched CVE SUMMARY: In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-50292 LAYER: meta-ros2 PACKAGE NAME: libtinyxml2 PACKAGE VERSION: 11.0.0 CVE: CVE-2018-11210 CVE STATUS: Patched CVE SUMMARY: TinyXML2 6.2.0 has a heap-based buffer over-read in the XMLDocument::Parse function in libtinyxml2.so. NOTE: The tinyxml2 developers have determined that the reported overflow is due to improper use of the library and not a vulnerability in tinyxml2 CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11210 LAYER: meta-ros2 PACKAGE NAME: libtinyxml2 PACKAGE VERSION: 11.0.0 CVE: CVE-2024-50614 CVE STATUS: Patched CVE SUMMARY: TinyXML2 through 10.0.0 has a reachable assertion for UINT_MAX/16, that may lead to application exit, in tinyxml2.cpp XMLUtil::GetCharacterRef. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50614 LAYER: meta-ros2 PACKAGE NAME: libtinyxml2 PACKAGE VERSION: 11.0.0 CVE: CVE-2024-50615 CVE STATUS: Patched CVE SUMMARY: TinyXML2 through 10.0.0 has a reachable assertion for UINT_MAX/digit, that may lead to application exit, in tinyxml2.cpp XMLUtil::GetCharacterRef. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50615 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2004-0803 CVE STATUS: Patched CVE SUMMARY: Multiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0803 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2004-0804 CVE STATUS: Patched CVE SUMMARY: Vulnerability in tif_dirread.c for libtiff allows remote attackers to cause a denial of service (application crash) via a TIFF image that causes a divide-by-zero error when the number of row bytes is zero, a different vulnerability than CVE-2005-2452. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0804 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2004-0886 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0886 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2004-0929 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the OJPEGVSetField function in tif_ojpeg.c for libtiff 3.6.1 and earlier, when compiled with the OJPEG_SUPPORT (old JPEG support) option, allows remote attackers to execute arbitrary code via a malformed TIFF image. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0929 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2004-1183 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the tiffdump utility for libtiff 3.7.1 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted TIFF file. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1183 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2004-1307 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1307 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2004-1308 CVE STATUS: Patched CVE SUMMARY: Integer overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff 3.5.7 and 3.7.0 allows remote attackers to execute arbitrary code via a TIFF file containing a TIFF_ASCII or TIFF_UNDEFINED directory entry with a -1 entry count, which leads to a heap-based buffer overflow. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1308 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2005-1544 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in libTIFF before 3.7.2 allows remote attackers to execute arbitrary code via a TIFF file with a malformed BitsPerSample tag. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1544 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2005-2452 CVE STATUS: Patched CVE SUMMARY: libtiff up to 3.7.0 allows remote attackers to cause a denial of service (application crash) via a TIFF image header with a zero "YCbCr subsampling" value, which causes a divide-by-zero error in (1) tif_strip.c and (2) tif_tile.c, a different vulnerability than CVE-2004-0804. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2452 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2006-0405 CVE STATUS: Patched CVE SUMMARY: The TIFFFetchShortPair function in tif_dirread.c in libtiff 3.8.0 allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image that triggers a NULL pointer dereference, possibly due to changes in type declarations and/or the TIFFVSetField function. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0405 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2006-2024 CVE STATUS: Patched CVE SUMMARY: Multiple vulnerabilities in libtiff before 3.8.1 allow context-dependent attackers to cause a denial of service via a TIFF image that triggers errors in (1) the TIFFFetchAnyArray function in (a) tif_dirread.c; (2) certain "codec cleanup methods" in (b) tif_lzw.c, (c) tif_pixarlog.c, and (d) tif_zip.c; (3) and improper restoration of setfield and getfield methods in cleanup functions within (e) tif_jpeg.c, tif_pixarlog.c, (f) tif_fax3.c, and tif_zip.c. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2024 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2006-2025 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the TIFFFetchData function in tif_dirread.c for libtiff before 3.8.1 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via a crafted TIFF image. CVSS v2 BASE SCORE: 6.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2025 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2006-2026 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in tif_jpeg.c in libtiff before 3.8.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers errors related to "setfield/getfield methods in cleanup functions." CVSS v2 BASE SCORE: 6.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2026 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2006-2120 CVE STATUS: Patched CVE SUMMARY: The TIFFToRGB function in libtiff before 3.8.1 allows remote attackers to cause a denial of service (crash) via a crafted TIFF image with Yr/Yg/Yb values that exceed the YCR/YCG/YCB values, which triggers an out-of-bounds read. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2120 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2006-2193 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8.2 and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a TIFF file with a DocumentName tag that contains UTF-8 characters, which triggers the overflow when a character is sign extended to an integer that produces more digits than expected in an sprintf call. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2193 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2006-2656 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the tiffsplit command in libtiff 3.8.2 and earlier might might allow attackers to execute arbitrary code via a long filename. NOTE: tiffsplit is not setuid. If there is not a common scenario under which tiffsplit is called with attacker-controlled command line arguments, then perhaps this issue should not be included in CVE. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2656 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2006-3459 CVE STATUS: Patched CVE SUMMARY: Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3.8.2, as used in Adobe Reader 9.3.0 and other products, allow context-dependent attackers to execute arbitrary code or cause a denial of service via unspecified vectors, including a large tdir_count value in the TIFFFetchShortPair function in tif_dirread.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3459 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2006-3460 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the JPEG decoder in the TIFF library (libtiff) before 3.8.2 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via an encoded JPEG stream that is longer than the scan line size (TiffScanLineSize). CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3460 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2006-3461 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the PixarLog decoder in the TIFF library (libtiff) before 3.8.2 might allow context-dependent attackers to execute arbitrary code via unknown vectors. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3461 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2006-3462 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the NeXT RLE decoder in the TIFF library (libtiff) before 3.8.2 might allow context-dependent attackers to execute arbitrary code via unknown vectors involving decoding large RLE images. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3462 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2006-3463 CVE STATUS: Patched CVE SUMMARY: The EstimateStripByteCounts function in TIFF library (libtiff) before 3.8.2 uses a 16-bit unsigned short when iterating over an unsigned 32-bit value, which allows context-dependent attackers to cause a denial of service via a large td_nstrips value, which triggers an infinite loop. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3463 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2006-3464 CVE STATUS: Patched CVE SUMMARY: TIFF library (libtiff) before 3.8.2 allows context-dependent attackers to pass numeric range checks and possibly execute code, and trigger assert errors, via large offset values in a TIFF directory that lead to an integer overflow and other unspecified vectors involving "unchecked arithmetic operations". CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3464 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2006-3465 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the custom tag support for the TIFF library (libtiff) before 3.8.2 allows remote attackers to cause a denial of service (instability or crash) and execute arbitrary code via unknown vectors. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3465 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2008-2327 CVE STATUS: Patched CVE SUMMARY: Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in LibTIFF 3.8.2 and earlier allow context-dependent attackers to execute arbitrary code via a crafted TIFF file, related to improper handling of the CODE_CLEAR code. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2327 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2009-2285 CVE STATUS: Patched CVE SUMMARY: Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 allows context-dependent attackers to cause a denial of service (crash) via a crafted TIFF image, a different vulnerability than CVE-2008-2327. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2285 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2009-2347 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in inter-color spaces conversion tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent attackers to execute arbitrary code via a TIFF image with large (1) width and (2) height values, which triggers a heap-based buffer overflow in the (a) cvt_whole_image function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2347 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2009-5022 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in tif_ojpeg.c in the OJPEG decoder in LibTIFF before 3.9.5 allows remote attackers to execute arbitrary code via a crafted TIFF file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-5022 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2010-2065 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the TIFFroundup macro in LibTIFF before 3.9.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TIFF file that triggers a buffer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2065 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2010-2067 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the TIFFFetchSubjectDistance function in tif_dirread.c in LibTIFF before 3.9.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long EXIF SubjectDistance field in a TIFF file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2067 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2010-2233 CVE STATUS: Patched CVE SUMMARY: tif_getimage.c in LibTIFF 3.9.0 and 3.9.2 on 64-bit platforms, as used in ImageMagick, does not properly perform vertical flips, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TIFF image, related to "downsampled OJPEG input." CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2233 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2010-2443 CVE STATUS: Patched CVE SUMMARY: The OJPEGReadBufferFill function in tif_ojpeg.c in LibTIFF before 3.9.3 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an OJPEG image with undefined strip offsets, related to the TIFFVGetField function. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2443 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2010-2481 CVE STATUS: Patched CVE SUMMARY: The TIFFExtractData macro in LibTIFF before 3.9.4 does not properly handle unknown tag types in TIFF directory entries, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted TIFF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2481 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2010-2482 CVE STATUS: Patched CVE SUMMARY: LibTIFF 3.9.4 and earlier does not properly handle an invalid td_stripbytecount field, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted TIFF file, a different vulnerability than CVE-2010-2443. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2482 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2010-2483 CVE STATUS: Patched CVE SUMMARY: The TIFFRGBAImageGet function in LibTIFF 3.9.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a TIFF file with an invalid combination of SamplesPerPixel and Photometric values. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2483 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2010-2595 CVE STATUS: Patched CVE SUMMARY: The TIFFYCbCrtoRGB function in LibTIFF 3.9.0 and 3.9.2, as used in ImageMagick, does not properly handle invalid ReferenceBlackWhite values, which allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image that triggers an array index error, related to "downsampled OJPEG input." CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2595 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2010-2596 CVE STATUS: Patched CVE SUMMARY: The OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and 3.9.2, as used in tiff2ps, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF image, related to "downsampled OJPEG input." CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2596 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2010-2597 CVE STATUS: Patched CVE SUMMARY: The TIFFVStripSize function in tif_strip.c in LibTIFF 3.9.0 and 3.9.2 makes incorrect calls to the TIFFGetField function, which allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image, related to "downsampled OJPEG input" and possibly related to a compiler optimization that triggers a divide-by-zero error. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2597 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2010-2630 CVE STATUS: Patched CVE SUMMARY: The TIFFReadDirectory function in LibTIFF 3.9.0 does not properly validate the data types of codec-specific tags that have an out-of-order position in a TIFF file, which allows remote attackers to cause a denial of service (application crash) via a crafted file, a different vulnerability than CVE-2010-2481. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2630 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2010-2631 CVE STATUS: Patched CVE SUMMARY: LibTIFF 3.9.0 ignores tags in certain situations during the first stage of TIFF file processing and does not properly handle this during the second stage, which allows remote attackers to cause a denial of service (application crash) via a crafted file, a different vulnerability than CVE-2010-2481. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2631 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2010-3087 CVE STATUS: Patched CVE SUMMARY: LibTIFF before 3.9.2-5.2.1 in SUSE openSUSE 11.3 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TIFF image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3087 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2010-4665 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the ReadDirectory function in tiffdump.c in tiffdump in LibTIFF before 3.9.5 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TIFF file containing a directory data structure with many directory entries. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4665 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2011-1167 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the thunder (aka ThunderScan) decoder in tif_thunder.c in LibTIFF 3.9.4 and earlier allows remote attackers to execute arbitrary code via crafted THUNDER_2BITDELTAS data in a .tiff file that has an unexpected BitsPerSample value. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1167 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2012-1173 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow remote attackers to execute arbitrary code via a crafted tile size in a TIFF file, which is not properly handled by the (1) gtTileSeparate or (2) gtStripSeparate function, leading to a heap-based buffer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1173 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2012-2088 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in the TIFFReadDirectory function in tif_dirread.c in libtiff 3.9.4 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a negative tile depth in a tiff image, which triggers an improper conversion between signed and unsigned types, leading to a heap-based buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2088 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2012-2113 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in tiff2pdf in libtiff before 4.0.2 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2113 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2012-3401 CVE STATUS: Patched CVE SUMMARY: The t2p_read_tiff_init function in tiff2pdf (tools/tiff2pdf.c) in LibTIFF 4.0.2 and earlier does not properly initialize the T2P context struct pointer in certain error conditions, which allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3401 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2012-4447 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in tif_pixarlog.c in LibTIFF before 4.0.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted TIFF image using the PixarLog Compression format. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4447 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2012-4564 CVE STATUS: Patched CVE SUMMARY: ppm2tiff does not check the return value of the TIFFScanlineSize function, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PPM image that triggers an integer overflow, a zero-memory allocation, and a heap-based buffer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4564 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2012-5581 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in tif_dir.c in LibTIFF before 4.0.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DOTRANGE tag in a TIFF image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5581 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2013-1960 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the t2p_process_jpeg_strip function in tiff2pdf in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image file. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1960 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2013-1961 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the t2p_write_pdf_page function in tiff2pdf in libtiff before 4.0.3 allows remote attackers to cause a denial of service (application crash) via a crafted image length and resolution in a TIFF image file. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1961 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2013-4231 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in libtiff before 4.0.3 allow remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) extension block in a GIF image or (2) GIF raster image to tools/gif2tiff.c or (3) a long filename for a TIFF image to tools/rgb2ycbcr.c. NOTE: vectors 1 and 3 are disputed by Red Hat, which states that the input cannot exceed the allocated buffer size. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4231 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2013-4232 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the t2p_readwrite_pdf_image function in tools/tiff2pdf.c in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted TIFF image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4232 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2013-4243 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the readgifimage function in the gif2tiff tool in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted height and width values in a GIF image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4243 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2013-4244 CVE STATUS: Patched CVE SUMMARY: The LZW decompressor in the gif2tiff tool in libtiff 4.0.3 and earlier allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a crafted GIF image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4244 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2014-8127 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted TIFF image to the (1) checkInkNamesString function in tif_dir.c in the thumbnail tool, (2) compresscontig function in tiff2bw.c in the tiff2bw tool, (3) putcontig8bitCIELab function in tif_getimage.c in the tiff2rgba tool, LZWPreDecode function in tif_lzw.c in the (4) tiff2ps or (5) tiffdither tool, (6) NeXTDecode function in tif_next.c in the tiffmedian tool, or (7) TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8127 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2014-8128 CVE STATUS: Patched CVE SUMMARY: LibTIFF prior to 4.0.4, as used in Apple iOS before 8.4 and OS X before 10.10.4 and other products, allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8128 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2014-8129 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted TIFF image, as demonstrated by failure of tif_next.c to verify that the BitsPerSample value is 2, and the t2p_sample_lab_signed_to_unsigned function in tiff2pdf.c. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8129 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2014-8130 CVE STATUS: Patched CVE SUMMARY: The _TIFFmalloc function in tif_unix.c in LibTIFF 4.0.3 does not reject a zero size, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image that is mishandled by the TIFFWriteScanline function in tif_write.c, as demonstrated by tiffdither. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8130 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2014-9330 CVE STATUS: Patched CVE SUMMARY: Integer overflow in tif_packbits.c in bmp2tif in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) via crafted BMP image, related to dimensions, which triggers an out-of-bounds read. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9330 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2014-9655 CVE STATUS: Patched CVE SUMMARY: The (1) putcontig8bitYCbCr21tile function in tif_getimage.c or (2) NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff-cvs-1.tif and libtiff-cvs-2.tif. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9655 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2015-1547 CVE STATUS: Patched CVE SUMMARY: The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff5.tif. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1547 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2015-7313 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue CVE SUMMARY: LibTIFF before 4.0.7 allows remote attackers to cause a denial of service (memory consumption and crash) via a crafted tiff file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7313 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2015-7554 CVE STATUS: Patched CVE SUMMARY: The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7554 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2015-8665 CVE STATUS: Patched CVE SUMMARY: tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via the SamplesPerPixel tag in a TIFF image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8665 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2015-8668 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the PackBitsPreEncode function in tif_packbits.c in bmp2tiff in libtiff 4.0.6 and earlier allows remote attackers to execute arbitrary code or cause a denial of service via a large width field in a BMP image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8668 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2015-8683 CVE STATUS: Patched CVE SUMMARY: The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a packed TIFF image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8683 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2015-8781 CVE STATUS: Patched CVE SUMMARY: tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds write) via an invalid number of samples per pixel in a LogL compressed TIFF image, a different vulnerability than CVE-2015-8782. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8781 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2015-8782 CVE STATUS: Patched CVE SUMMARY: tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds writes) via a crafted TIFF image, a different vulnerability than CVE-2015-8781. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8782 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2015-8783 CVE STATUS: Patched CVE SUMMARY: tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds reads) via a crafted TIFF image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8783 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2015-8784 CVE STATUS: Patched CVE SUMMARY: The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image, as demonstrated by libtiff5.tif. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8784 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2015-8870 CVE STATUS: Patched CVE SUMMARY: Integer overflow in tools/bmp2tiff.c in LibTIFF before 4.0.4 allows remote attackers to cause a denial of service (heap-based buffer over-read), or possibly obtain sensitive information from process memory, via crafted width and length values in RLE4 or RLE8 data in a BMP file. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8870 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-10092 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the readContigStripsIntoBuffer function in tif_unix.c in LibTIFF 4.0.7, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5 and 4.0.6 allows remote attackers to have unspecified impact via a crafted image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10092 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-10093 CVE STATUS: Patched CVE SUMMARY: Integer overflow in tools/tiffcp.c in LibTIFF 4.0.7, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5 and 4.0.6 allows remote attackers to have unspecified impact via a crafted image, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10093 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-10094 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the t2p_readwrite_pdf_image_tile function in tools/tiff2pdf.c in LibTIFF 4.0.7 allows remote attackers to have unspecified impact via a crafted image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10094 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-10095 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the _TIFFVGetField function in tif_dir.c in LibTIFF 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7 and 4.0.8 allows remote attackers to cause a denial of service (crash) via a crafted TIFF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10095 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-10266 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10266 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-10267 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_ojpeg.c:816:8. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10267 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-10268 CVE STATUS: Patched CVE SUMMARY: tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (integer underflow and heap-based buffer under-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 78490" and libtiff/tif_unix.c:115:23. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10268 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-10269 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6 and 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 512" and libtiff/tif_unix.c:340:2. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10269 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-10270 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 8" and libtiff/tif_read.c:523:22. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10270 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-10271 CVE STATUS: Patched CVE SUMMARY: tools/tiffcrop.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read and buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 1" and libtiff/tif_fax3.c:413:13. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10271 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-10272 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to "WRITE of size 2048" and libtiff/tif_next.c:64:9. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10272 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-10371 CVE STATUS: Patched CVE SUMMARY: The TIFFWriteDirectoryTagCheckedRational function in tif_dirwrite.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10371 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-3186 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3186 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-3619 CVE STATUS: Patched CVE SUMMARY: The DumpModeEncode function in tif_dumpmode.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the "-c none" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3619 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-3620 CVE STATUS: Patched CVE SUMMARY: The ZIPEncode function in tif_zip.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the "-c zip" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3620 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-3621 CVE STATUS: Patched CVE SUMMARY: The LZWEncode function in tif_lzw.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the "-c lzw" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3621 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-3622 CVE STATUS: Patched CVE SUMMARY: The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted TIFF image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3622 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-3623 CVE STATUS: Patched CVE SUMMARY: The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero) by setting the (1) v or (2) h parameter to 0. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3623 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-3624 CVE STATUS: Patched CVE SUMMARY: The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the "-v" option to -1. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3624 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-3625 CVE STATUS: Patched CVE SUMMARY: tif_read.c in the tiff2bw tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TIFF image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3625 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-3631 CVE STATUS: Patched CVE SUMMARY: The (1) cpStrips and (2) cpTiles functions in the thumbnail tool in LibTIFF 4.0.6 and earlier allow remote attackers to cause a denial of service (out-of-bounds read) via vectors related to the bytecounts[] array variable. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3631 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-3632 CVE STATUS: Patched CVE SUMMARY: The _TIFFVGetField function in tif_dirinfo.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3632 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-3633 CVE STATUS: Patched CVE SUMMARY: The setrow function in the thumbnail tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors related to the src variable. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3633 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-3634 CVE STATUS: Patched CVE SUMMARY: The tagCompare function in tif_dirinfo.c in the thumbnail tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors related to field_tag matching. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3634 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-3658 CVE STATUS: Patched CVE SUMMARY: The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors involving the ma variable. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3658 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-3945 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the (1) cvt_by_strip and (2) cvt_by_tile functions in the tiff2rgba tool in LibTIFF 4.0.6 and earlier, when -b mode is enabled, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image, which triggers an out-of-bounds write. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3945 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-3990 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the horizontalDifference8 function in tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image to tiffcp. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3990 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-3991 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the loadImage function in the tiffcrop tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image with zero tiles. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3991 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-5102 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the readgifimage function in gif2tiff.c in the gif2tiff tool in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (segmentation fault) via a crafted gif file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5102 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-5314 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the PixarLogDecode function in tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TIFF image, as demonstrated by overwriting the vgetparent function pointer with rgb2ycbcr. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5314 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-5315 CVE STATUS: Patched CVE SUMMARY: The setByteArray function in tif_dir.c in libtiff 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tiff image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5315 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-5316 CVE STATUS: Patched CVE SUMMARY: Out-of-bounds read in the PixarLogCleanup function in tif_pixarlog.c in libtiff 4.0.6 and earlier allows remote attackers to crash the application by sending a crafted TIFF image to the rgb2ycbcr tool. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5316 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-5317 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the PixarLogDecode function in libtiff.so in the PixarLogDecode function in libtiff 4.0.6 and earlier, as used in GNOME nautilus, allows attackers to cause a denial of service attack (crash) via a crafted TIFF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5317 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-5318 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the _TIFFVGetField function in libtiff 4.0.6 and earlier allows remote attackers to crash the application via a crafted tiff. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5318 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-5319 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in tif_packbits.c in libtiff 4.0.6 and earlier allows remote attackers to crash the application via a crafted bmp file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5319 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-5321 CVE STATUS: Patched CVE SUMMARY: The DumpModeDecode function in libtiff 4.0.6 and earlier allows attackers to cause a denial of service (invalid read and crash) via a crafted tiff image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5321 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-5322 CVE STATUS: Patched CVE SUMMARY: The setByteArray function in tif_dir.c in libtiff 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tiff image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5322 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-5323 CVE STATUS: Patched CVE SUMMARY: The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5323 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-5652 CVE STATUS: Patched CVE SUMMARY: An exploitable heap-based buffer overflow exists in the handling of TIFF images in LibTIFF's TIFF2PDF tool. A crafted TIFF document can lead to a heap-based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved TIFF file delivered by other means. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5652 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-6223 CVE STATUS: Patched CVE SUMMARY: The TIFFReadRawStrip1 and TIFFReadRawTile1 functions in tif_read.c in libtiff before 4.0.7 allows remote attackers to cause a denial of service (crash) or possibly obtain sensitive information via a negative index in a file-content buffer. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6223 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-8331 CVE STATUS: Patched CVE SUMMARY: An exploitable remote code execution vulnerability exists in the handling of TIFF images in LibTIFF version 4.0.6. A crafted TIFF document can lead to a type confusion vulnerability resulting in remote code execution. This vulnerability can be triggered via a TIFF file delivered to the application using LibTIFF's tag extension functionality. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8331 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-9273 CVE STATUS: Patched CVE SUMMARY: tiffsplit in libtiff 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file, related to changing td_nstrips in TIFF_STRIPCHOP mode. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9273 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-9297 CVE STATUS: Patched CVE SUMMARY: The TIFFFetchNormalTag function in LibTiff 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via crafted TIFF_SETGET_C16ASCII or TIFF_SETGET_C32_ASCII tag values. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9297 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-9448 CVE STATUS: Patched CVE SUMMARY: The TIFFFetchNormalTag function in LibTiff 4.0.6 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by setting the tags TIFF_SETGET_C16ASCII or TIFF_SETGET_C32_ASCII to values that access 0-byte arrays. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9297. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9448 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-9453 CVE STATUS: Patched CVE SUMMARY: The t2p_readwrite_pdf_image_tile function in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a JPEG file with a TIFFTAG_JPEGTABLES of length one. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9453 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-9532 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the writeBufferToSeparateStrips function in tiffcrop.c in LibTIFF before 4.0.7 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tif file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9532 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-9533 CVE STATUS: Patched CVE SUMMARY: tif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers. Reported as MSVR 35094, aka "PixarLog horizontalDifference heap-buffer-overflow." CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9533 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-9534 CVE STATUS: Patched CVE SUMMARY: tif_write.c in libtiff 4.0.6 has an issue in the error code path of TIFFFlushData1() that didn't reset the tif_rawcc and tif_rawcp members. Reported as MSVR 35095, aka "TIFFFlushData1 heap-buffer-overflow." CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9534 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-9535 CVE STATUS: Patched CVE SUMMARY: tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow." CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9535 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-9536 CVE STATUS: Patched CVE SUMMARY: tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers in t2p_process_jpeg_strip(). Reported as MSVR 35098, aka "t2p_process_jpeg_strip heap-buffer-overflow." CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9536 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-9537 CVE STATUS: Patched CVE SUMMARY: tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in buffers. Reported as MSVR 35093, MSVR 35096, and MSVR 35097. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9537 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-9538 CVE STATUS: Patched CVE SUMMARY: tools/tiffcrop.c in libtiff 4.0.6 reads an undefined buffer in readContigStripsIntoBuffer() because of a uint16 integer overflow. Reported as MSVR 35100. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9538 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-9539 CVE STATUS: Patched CVE SUMMARY: tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in readContigTilesIntoBuffer(). Reported as MSVR 35092. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9539 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2016-9540 CVE STATUS: Patched CVE SUMMARY: tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled images with odd tile width versus image width. Reported as MSVR 35103, aka "cpStripToTile heap-buffer-overflow." CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9540 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-10688 CVE STATUS: Patched CVE SUMMARY: In LibTIFF 4.0.8, there is a assertion abort in the TIFFWriteDirectoryTagCheckedLong8Array function in tif_dirwrite.c. A crafted input will lead to a remote denial of service attack. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10688 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-11335 CVE STATUS: Patched CVE SUMMARY: There is a heap based buffer overflow in tools/tiff2pdf.c of LibTIFF 4.0.8 via a PlanarConfig=Contig image, which causes a more than one hundred bytes out-of-bounds write (related to the ZIPDecode function in tif_zip.c). A crafted input may lead to a remote denial of service attack or an arbitrary code execution attack. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11335 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-11613 CVE STATUS: Patched CVE SUMMARY: In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If we set the value of td_imagelength close to the amount of system memory, it will hang the system or trigger the OOM killer. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11613 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-12944 CVE STATUS: Patched CVE SUMMARY: The TIFFReadDirEntryArray function in tif_read.c in LibTIFF 4.0.8 mishandles memory allocation for short files, which allows remote attackers to cause a denial of service (allocation failure and application crash) in the TIFFFetchStripThing function in tif_dirread.c during a tiff2pdf invocation. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12944 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-13726 CVE STATUS: Patched CVE SUMMARY: There is a reachable assertion abort in the function TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13726 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-13727 CVE STATUS: Patched CVE SUMMARY: There is a reachable assertion abort in the function TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13727 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-16232 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16232 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-17095 CVE STATUS: Patched CVE SUMMARY: tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (TIFFSetupStrips heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17095 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-17942 CVE STATUS: Patched CVE SUMMARY: In LibTIFF 4.0.9, there is a heap-based buffer over-read in the function PackBitsEncode in tif_packbits.c. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17942 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-17973 CVE STATUS: Patched CVE SUMMARY: In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17973 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-18013 CVE STATUS: Patched CVE SUMMARY: In LibTIFF 4.0.9, there is a Null-Pointer Dereference in the tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo crash. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18013 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-5225 CVE STATUS: Patched CVE SUMMARY: LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5225 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-5563 CVE STATUS: Patched CVE SUMMARY: LibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution via a crafted bmp image to tools/bmp2tiff. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5563 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-7592 CVE STATUS: Patched CVE SUMMARY: The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7592 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-7593 CVE STATUS: Patched CVE SUMMARY: tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7593 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-7594 CVE STATUS: Patched CVE SUMMARY: The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7594 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-7595 CVE STATUS: Patched CVE SUMMARY: The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7595 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-7596 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.0.7 has an "outside the range of representable values of type float" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7596 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-7597 CVE STATUS: Patched CVE SUMMARY: tif_dirread.c in LibTIFF 4.0.7 has an "outside the range of representable values of type float" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7597 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-7598 CVE STATUS: Patched CVE SUMMARY: tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7598 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-7599 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.0.7 has an "outside the range of representable values of type short" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7599 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-7600 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.0.7 has an "outside the range of representable values of type unsigned char" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7600 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-7601 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.0.7 has a "shift exponent too large for 64-bit type long" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7601 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-7602 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.0.7 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7602 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-9117 CVE STATUS: Patched CVE SUMMARY: In LibTIFF 4.0.6 and possibly other versions, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, as demonstrated by a heap-based buffer over-read in bmp2tiff. NOTE: mentioning bmp2tiff does not imply that the activation point is in the bmp2tiff.c file (which was removed before the 4.0.7 release). CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9117 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-9147 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField function in tif_dir.c, which might allow remote attackers to cause a denial of service (crash) via a crafted TIFF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9147 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-9403 CVE STATUS: Patched CVE SUMMARY: In LibTIFF 4.0.7, a memory leak vulnerability was found in the function TIFFReadDirEntryLong8Array in tif_dirread.c, which allows attackers to cause a denial of service via a crafted file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9403 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-9404 CVE STATUS: Patched CVE SUMMARY: In LibTIFF 4.0.7, a memory leak vulnerability was found in the function OJPEGReadHeaderInfoSecTablesQTable in tif_ojpeg.c, which allows attackers to cause a denial of service via a crafted file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9404 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-9815 CVE STATUS: Patched CVE SUMMARY: In LibTIFF 4.0.7, the TIFFReadDirEntryLong8Array function in libtiff/tif_dirread.c mishandles a malloc operation, which allows attackers to cause a denial of service (memory leak within the function _TIFFmalloc in tif_unix.c) via a crafted file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9815 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-9935 CVE STATUS: Patched CVE SUMMARY: In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9935 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-9936 CVE STATUS: Patched CVE SUMMARY: In LibTIFF 4.0.8, there is a memory leak in tif_jbig.c. A crafted TIFF document can lead to a memory leak resulting in a remote denial of service attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9936 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2017-9937 CVE STATUS: Patched CVE SUMMARY: In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9937 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2018-10126 CVE STATUS: Patched CVE SUMMARY: ijg-libjpeg before 9d, as used in tiff2pdf (from LibTIFF) and other products, does not check for a NULL pointer at a certain place in jpeg_fdct_16x16 in jfdctint.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10126 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2018-10779 CVE STATUS: Patched CVE SUMMARY: TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a heap-based buffer over-read, as demonstrated by bmp2tiff. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10779 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2018-10801 CVE STATUS: Patched CVE SUMMARY: TIFFClientOpen in tif_unix.c in LibTIFF 3.8.2 has memory leaks, as demonstrated by bmp2tiff. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10801 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2018-10963 CVE STATUS: Patched CVE SUMMARY: The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10963 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2018-12900 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0beta7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12900 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2018-15209 CVE STATUS: Patched CVE SUMMARY: ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15209 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2018-16335 CVE STATUS: Patched CVE SUMMARY: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16335 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2018-17000 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c (called from TIFFWriteDirectoryTagTransferfunction) in LibTIFF 4.0.9 allows an attacker to cause a denial-of-service through a crafted tiff file. This vulnerability can be triggered by the executable tiffcp. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17000 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2018-17100 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17100 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2018-17101 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17101 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2018-17795 CVE STATUS: Patched CVE SUMMARY: The function t2p_write_pdf in tiff2pdf.c in LibTIFF 4.0.9 and earlier allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17795 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2018-18557 CVE STATUS: Patched CVE SUMMARY: LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18557 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2018-18661 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18661 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2018-19210 CVE STATUS: Patched CVE SUMMARY: In LibTIFF 4.0.9, there is a NULL pointer dereference in the TIFFWriteDirectorySec function in tif_dirwrite.c that will lead to a denial of service attack, as demonstrated by tiffset. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19210 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2018-5360 CVE STATUS: Patched CVE SUMMARY: LibTIFF before 4.0.6 mishandles the reading of TIFF files, as demonstrated by a heap-based buffer over-read in the ReadTIFFImage function in coders/tiff.c in GraphicsMagick 1.3.27. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5360 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2018-5784 CVE STATUS: Patched CVE SUMMARY: In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5784 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2018-7456 CVE STATUS: Patched CVE SUMMARY: A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.) CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7456 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2018-8905 CVE STATUS: Patched CVE SUMMARY: In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8905 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2019-14973 CVE STATUS: Patched CVE SUMMARY: _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through 4.0.10 mishandle Integer Overflow checks because they rely on compiler behavior that is undefined by the applicable C standards. This can, for example, lead to an application crash. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14973 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2019-17546 CVE STATUS: Patched CVE SUMMARY: tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17546 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2019-6128 CVE STATUS: Patched CVE SUMMARY: The TIFFFdOpen function in tif_unix.c in LibTIFF 4.0.10 has a memory leak, as demonstrated by pal2rgb. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6128 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2019-7663 CVE STATUS: Patched CVE SUMMARY: An Invalid Address dereference was discovered in TIFFWriteDirectoryTagTransferfunction in libtiff/tif_dirwrite.c in LibTIFF 4.0.10, affecting the cpSeparateBufToContigBuf function in tiffcp.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file. This is different from CVE-2018-12900. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7663 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2020-18768 CVE STATUS: Patched CVE SUMMARY: There exists one heap buffer overflow in _TIFFmemcpy in tif_unix.c in libtiff 4.0.10, which allows an attacker to cause a denial-of-service through a crafted tiff file. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-18768 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2020-19131 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow in LibTiff v4.0.10 allows attackers to cause a denial of service via the "invertImage()" function in the component "tiffcrop". CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19131 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2020-19143 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow in LibTiff v4.0.10 allows attackers to cause a denial of service via the "TIFFVGetField" funtion in the component 'libtiff/tif_dir.c'. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19143 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2020-19144 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow in LibTiff v4.0.10 allows attackers to cause a denial of service via the 'in _TIFFmemcpy' funtion in the component 'tif_unix.c'. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19144 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2020-35521 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libtiff. Due to a memory allocation failure in tif_read.c, a crafted TIFF file can lead to an abort, resulting in denial of service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35521 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2020-35522 CVE STATUS: Patched CVE SUMMARY: In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35522 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2020-35523 CVE STATUS: Patched CVE SUMMARY: An integer overflow flaw was found in libtiff that exists in the tif_getimage.c file. This flaw allows an attacker to inject and execute arbitrary code when a user opens a crafted TIFF file. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35523 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2020-35524 CVE STATUS: Patched CVE SUMMARY: A heap-based buffer overflow flaw was found in libtiff in the handling of TIFF images in libtiff's TIFF2PDF tool. A specially crafted TIFF file can lead to arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35524 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-0561 CVE STATUS: Patched CVE SUMMARY: Null source pointer passed as an argument to memcpy() function within TIFFFetchStripThing() in tif_dirread.c in libtiff versions from 3.9.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. For users that compile libtiff from sources, the fix is available with commit eecb0712. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0561 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-0562 CVE STATUS: Patched CVE SUMMARY: Null source pointer passed as an argument to memcpy() function within TIFFReadDirectory() in tif_dirread.c in libtiff versions from 4.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. For users that compile libtiff from sources, a fix is available with commit 561599c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0562 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-0865 CVE STATUS: Patched CVE SUMMARY: Reachable Assertion in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 5e180045. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0865 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-0891 CVE STATUS: Patched CVE SUMMARY: A heap buffer overflow in ExtractImageSection function in tiffcrop.c in libtiff library Version 4.3.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0891 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-0907 CVE STATUS: Patched CVE SUMMARY: Unchecked Return Value to NULL Pointer Dereference in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f2b656e2. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0907 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-0908 CVE STATUS: Patched CVE SUMMARY: Null source pointer passed as an argument to memcpy() function within TIFFFetchNormalTag () in tif_dirread.c in libtiff versions up to 4.3.0 could lead to Denial of Service via crafted TIFF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 7.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0908 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-0909 CVE STATUS: Patched CVE SUMMARY: Divide By Zero error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f8d0f9aa. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0909 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-0924 CVE STATUS: Patched CVE SUMMARY: Out-of-bounds Read error in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 408976c4. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0924 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-1056 CVE STATUS: Patched CVE SUMMARY: Out-of-bounds Read error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 46dc8fcd. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1056 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-1210 CVE STATUS: Patched CVE SUMMARY: A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1210 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-1354 CVE STATUS: Patched CVE SUMMARY: A heap buffer overflow flaw was found in Libtiffs' tiffinfo.c in TIFFReadRawDataStriped() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffinfo tool, triggering a heap buffer overflow issue and causing a crash that leads to a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1354 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-1355 CVE STATUS: Patched CVE SUMMARY: A stack buffer overflow flaw was found in Libtiffs' tiffcp.c in main() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffcp tool, triggering a stack buffer overflow issue, possibly corrupting the memory, and causing a crash that leads to a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1355 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-1622 CVE STATUS: Patched CVE SUMMARY: LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1622 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-1623 CVE STATUS: Patched CVE SUMMARY: LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:624, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1623 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-2056 CVE STATUS: Patched CVE SUMMARY: Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2056 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-2057 CVE STATUS: Patched CVE SUMMARY: Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2057 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-2058 CVE STATUS: Patched CVE SUMMARY: Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2058 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-22844 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22844 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-2519 CVE STATUS: Patched CVE SUMMARY: There is a double free or corruption in rotateImage() at tiffcrop.c:8839 found in libtiff 4.4.0rc1 CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2519 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-2520 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libtiff 4.4.0rc1. There is a sysmalloc assertion fail in rotateImage() at tiffcrop.c:8621 that can cause program crash when reading a crafted input. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2520 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-2521 CVE STATUS: Patched CVE SUMMARY: It was found in libtiff 4.4.0rc1 that there is an invalid pointer free operation in TIFFClose() at tif_close.c:131 called by tiffcrop.c:2522 that can cause a program crash and denial of service while processing crafted input. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2521 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-2867 CVE STATUS: Patched CVE SUMMARY: libtiff's tiffcrop utility has a uint32_t underflow that can lead to out of bounds read and write. An attacker who supplies a crafted file to tiffcrop (likely via tricking a user to run tiffcrop on it with certain parameters) could cause a crash or in some cases, further exploitation. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2867 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-2868 CVE STATUS: Patched CVE SUMMARY: libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2868 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-2869 CVE STATUS: Patched CVE SUMMARY: libtiff's tiffcrop tool has a uint32_t underflow which leads to out of bounds read and write in the extractContigSamples8bits routine. An attacker who supplies a crafted file to tiffcrop could trigger this flaw, most likely by tricking a user into opening the crafted file with tiffcrop. Triggering this flaw could cause a crash or potentially further exploitation. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2869 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-2953 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds read in extractImageSection in tools/tiffcrop.c:6905, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 48d6ece8. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2953 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-34266 CVE STATUS: Patched CVE SUMMARY: The libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2 allows attackers to cause a denial of service (application crash), a different vulnerability than CVE-2022-0562. When processing a malicious TIFF file, an invalid range may be passed as an argument to the memset() function within TIFFFetchStripThing() in tif_dirread.c. This will cause TIFFFetchStripThing() to segfault after use of an uninitialized resource. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-34266 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-34526 CVE STATUS: Patched CVE SUMMARY: A stack overflow was discovered in the _TIFFVGetField function of Tiffsplit v4.4.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted TIFF file parsed by the "tiffsplit" or "tiffcrop" utilities. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-34526 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-3570 CVE STATUS: Patched CVE SUMMARY: Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3570 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-3597 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6826, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3597 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-3598 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds write in extractContigSamplesShifted24bits in tools/tiffcrop.c:3604, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit cfbb883b. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3598 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-3599 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection in tools/tiffcrop.c:7345, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit e8131125. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3599 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-3626 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemset in libtiff/tif_unix.c:340 when called from processCropSelections, tools/tiffcrop.c:7619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3626 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-3627 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6860, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3627 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-3970 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to fix this issue. The identifier VDB-213549 was assigned to this vulnerability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3970 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-40090 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in function TIFFReadDirectory libtiff before 4.4.0 allows attackers to cause a denial of service via crafted TIFF file. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40090 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-4645 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds read in tiffcp in tools/tiffcp.c:948, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit e8131125. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4645 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2022-48281 CVE STATUS: Patched CVE SUMMARY: processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based buffer overflow (e.g., "WRITE of size 307203") via a crafted TIFF image. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48281 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-0795 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3488, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0795 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-0796 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3592, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0796 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-0797 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6921, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0797 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-0798 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3400, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0798 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-0799 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3701, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0799 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-0800 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3502, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0800 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-0801 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6778, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0801 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-0802 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3724, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0802 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-0803 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3516, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0803 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-0804 CVE STATUS: Patched CVE SUMMARY: LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3609, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0804 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-1916 CVE STATUS: Patched CVE SUMMARY: A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1916 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-25433 CVE STATUS: Patched CVE SUMMARY: libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25433 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-25434 CVE STATUS: Patched CVE SUMMARY: libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesBytes() at /libtiff/tools/tiffcrop.c:3215. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25434 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-25435 CVE STATUS: Patched CVE SUMMARY: libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesShifted8bits() at /libtiff/tools/tiffcrop.c:3753. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25435 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-26965 CVE STATUS: Patched CVE SUMMARY: loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-26965 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-26966 CVE STATUS: Patched CVE SUMMARY: libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-26966 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-2731 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference flaw was found in Libtiff's LZWDecode() function in the libtiff/tif_lzw.c file. This flaw allows a local attacker to craft specific input data that can cause the program to dereference a NULL pointer when decompressing a TIFF format file, resulting in a program crash or denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2731 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-2908 CVE STATUS: Patched CVE SUMMARY: A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2908 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-30086 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability found in Libtiff V.4.0.7 allows a local attacker to cause a denial of service via the tiffcp function in tiffcp.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-30086 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-30774 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in the libtiff library. This flaw causes a heap buffer overflow issue via the TIFFTAG_INKNAMES and TIFFTAG_NUMBEROFINKS values. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-30774 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-30775 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in the libtiff library. This security flaw causes a heap buffer overflow in extractContigSamples32bits, tiffcrop.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-30775 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-3164 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: Issue only affects the tiffcrop tool not compiled by default since 4.6.0 CVE SUMMARY: A heap-buffer-overflow vulnerability was found in LibTIFF, in extractImageSection() at tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801. This flaw allows attackers to cause a denial of service via a crafted tiff file. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3164 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-3316 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3316 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-3576 CVE STATUS: Patched CVE SUMMARY: A memory leak flaw was found in Libtiff's tiffcrop utility. This issue occurs when tiffcrop operates on a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes this memory leak issue, resulting an application crash, eventually leading to a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3576 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-3618 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libtiff. A specially crafted tiff file can lead to a segmentation fault due to a buffer overflow in the Fax3Encode function in libtiff/tif_fax3.c, resulting in a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3618 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-40745 CVE STATUS: Patched CVE SUMMARY: LibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-40745 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-41175 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in libtiff due to multiple potential integer overflows in raw2tiff.c. This flaw allows remote attackers to cause a denial of service or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-41175 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-52355 CVE STATUS: Patched CVE SUMMARY: An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52355 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-52356 CVE STATUS: Patched CVE SUMMARY: A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52356 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-6228 CVE STATUS: Patched CVE SUMMARY: An issue was found in the tiffcp utility distributed by the libtiff package where a crafted TIFF file on processing may cause a heap-based buffer overflow leads to an application crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6228 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2023-6277 CVE STATUS: Patched CVE SUMMARY: An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6277 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2024-13978 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: tools affected by these CVEs are not present in this release CVE SUMMARY: A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as problematic. Affected by this vulnerability is the function t2p_read_tiff_init of the file tools/tiff2pdf.c of the component fax2ps. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation appears to be difficult. The patch is named 2ebfffb0e8836bfb1cd7d85c059cd285c59761a4. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 1.0 CVSS v3 BASE SCORE: 2.5 CVSS v4 BASE SCORE: 2.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-13978 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2024-7006 CVE STATUS: Patched CVE SUMMARY: A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7006 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2025-61143 CVE STATUS: Unpatched CVE SUMMARY: libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-61143 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2025-61144 CVE STATUS: Unpatched CVE SUMMARY: libtiff up to v4.7.1 was discovered to contain a stack overflow via the readSeparateStripsIntoBuffer function. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-61144 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2025-61145 CVE STATUS: Unpatched CVE SUMMARY: libtiff up to v4.7.1 was discovered to contain a double free via the component tools/tiffcrop.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-61145 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2025-8176 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: tools affected by these CVEs are not present in this release CVE SUMMARY: A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as critical. This vulnerability affects the function get_histogram of the file tools/tiffmedian.c. The manipulation leads to use after free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The patch is identified as fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-8176 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2025-8177 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: tools affected by these CVEs are not present in this release CVE SUMMARY: A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as critical. This issue affects the function setrow of the file tools/thumbnail.c. The manipulation leads to buffer overflow. An attack has to be approached locally. The patch is named e8c9d6c616b19438695fd829e58ae4fde5bfbc22. It is recommended to apply a patch to fix this issue. This vulnerability only affects products that are no longer supported by the maintainer. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 4.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-8177 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2025-8534 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: tools affected by these CVEs are not present in this release CVE SUMMARY: A vulnerability classified as problematic was found in libtiff 4.6.0. This vulnerability affects the function PS_Lvl2page of the file tools/tiff2ps.c of the component tiff2ps. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 6ba36f159fd396ad11bf6b7874554197736ecc8b. It is recommended to apply a patch to fix this issue. One of the maintainers explains, that "[t]his error only occurs if DEFER_STRILE_LOAD (defer-strile-load:BOOL=ON) or TIFFOpen( .. "rD") option is used." CVSS v2 BASE SCORE: 1.0 CVSS v3 BASE SCORE: 2.5 CVSS v4 BASE SCORE: 1.1 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-8534 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2025-8851 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: tools affected by these CVEs are not present in this release CVE SUMMARY: A vulnerability was determined in LibTIFF up to 4.5.1. Affected by this issue is the function readSeparateStripsetoBuffer of the file tools/tiffcrop.c of the component tiffcrop. The manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The patch is identified as 8a7a48d7a645992ca83062b3a1873c951661e2b3. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 4.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-8851 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2025-8961 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: tools affected by these CVEs are not present in this release CVE SUMMARY: A weakness has been identified in LibTIFF 4.7.0. This affects the function main of the file tiffcrop.c of the component tiffcrop. Executing manipulation can lead to memory corruption. The attack can only be executed locally. The exploit has been made available to the public and could be exploited. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 1.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-8961 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2025-9165 CVE STATUS: Patched CVE SUMMARY: A flaw has been found in LibTIFF 4.7.0. This affects the function _TIFFmallocExt/_TIFFCheckRealloc/TIFFHashSetNew/InitCCITTFax3 of the file tools/tiffcmp.c of the component tiffcmp. Executing manipulation can lead to memory leak. The attack is restricted to local execution. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The exploit has been published and may be used. There is ongoing doubt regarding the real existence of this vulnerability. This patch is called ed141286a37f6e5ddafb5069347ff5d587e7a4e0. It is best practice to apply a patch to resolve this issue. A researcher disputes the security impact of this issue, because "this is a memory leak on a command line tool that is about to exit anyway". In the reply the project maintainer declares this issue as "a simple 'bug' when leaving the command line tool and (...) not a security issue at all". CVSS v2 BASE SCORE: 1.0 CVSS v3 BASE SCORE: 2.5 CVSS v4 BASE SCORE: 1.1 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-9165 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2025-9900 CVE STATUS: Patched CVE SUMMARY: A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-9900 LAYER: meta PACKAGE NAME: tiff PACKAGE VERSION: 4.6.0 CVE: CVE-2026-4775 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the putcontig8bitYCbCr44tile function by providing a specially crafted TIFF file. This flaw can lead to an out-of-bounds heap write due to incorrect memory pointer calculations, potentially causing a denial of service (application crash) or arbitrary code execution. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-4775 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-1999-0428 CVE STATUS: Patched CVE SUMMARY: OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0428 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2000-0535 CVE STATUS: Patched CVE SUMMARY: OpenSSL 0.9.4 and OpenSSH for FreeBSD do not properly check for the existence of the /dev/random or /dev/urandom devices, which are absent on FreeBSD Alpha systems, which causes them to produce weak keys which may be more easily broken. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0535 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2000-1254 CVE STATUS: Patched CVE SUMMARY: crypto/rsa/rsa_gen.c in OpenSSL before 0.9.6 mishandles C bitwise-shift operations that exceed the size of an expression, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging improper RSA key generation on 64-bit HP-UX platforms. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-1254 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2001-1141 CVE STATUS: Patched CVE SUMMARY: The Pseudo-Random Number Generator (PRNG) in SSLeay and OpenSSL before 0.9.6b allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1141 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2002-0655 CVE STATUS: Patched CVE SUMMARY: OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, does not properly handle ASCII representations of integers on 64 bit platforms, which could allow attackers to cause a denial of service and possibly execute arbitrary code. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0655 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2002-0656 CVE STATUS: Patched CVE SUMMARY: Buffer overflows in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allow remote attackers to execute arbitrary code via (1) a large client master key in SSL2 or (2) a large session ID in SSL3. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0656 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2002-0657 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in OpenSSL 0.9.7 before 0.9.7-beta3, with Kerberos enabled, allows attackers to execute arbitrary code via a long master key. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0657 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2002-0659 CVE STATUS: Patched CVE SUMMARY: The ASN1 library in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allows remote attackers to cause a denial of service via invalid encodings. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0659 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2002-1568 CVE STATUS: Patched CVE SUMMARY: OpenSSL 0.9.6e uses assertions when detecting buffer overflow attacks instead of less severe mechanisms, which allows remote attackers to cause a denial of service (crash) via certain messages that cause OpenSSL to abort from a failed assertion, as demonstrated using SSLv2 CLIENT_MASTER_KEY messages, which are not properly handled in s2_srvr.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1568 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2003-0078 CVE STATUS: Patched CVE SUMMARY: ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack." CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0078 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2003-0131 CVE STATUS: Patched CVE SUMMARY: The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the "Klima-Pokorny-Rosa attack." CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0131 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2003-0147 CVE STATUS: Patched CVE SUMMARY: OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0147 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2003-0543 CVE STATUS: Patched CVE SUMMARY: Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0543 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2003-0544 CVE STATUS: Patched CVE SUMMARY: OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0544 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2003-0545 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0545 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2003-0851 CVE STATUS: Patched CVE SUMMARY: OpenSSL 0.9.6k allows remote attackers to cause a denial of service (crash via large recursion) via malformed ASN.1 sequences. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0851 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2004-0079 CVE STATUS: Patched CVE SUMMARY: The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0079 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2004-0081 CVE STATUS: Patched CVE SUMMARY: OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0081 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2004-0975 CVE STATUS: Patched CVE SUMMARY: The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0975 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2005-1797 CVE STATUS: Patched CVE SUMMARY: The design of Advanced Encryption Standard (AES), aka Rijndael, allows remote attackers to recover AES keys via timing attacks on S-box lookups, which are difficult to perform in constant time in AES implementations. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1797 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2005-2946 CVE STATUS: Patched CVE SUMMARY: The default configuration on OpenSSL before 0.9.8 uses MD5 for creating message digests instead of a more cryptographically strong algorithm, which makes it easier for remote attackers to forge certificates with a valid certificate authority signature. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2946 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2005-2969 CVE STATUS: Patched CVE SUMMARY: The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preventing protocol version rollback attacks, which allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2969 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2006-2937 CVE STATUS: Patched CVE SUMMARY: OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2937 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2006-2940 CVE STATUS: Patched CVE SUMMARY: OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2940 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2006-3738 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions has unspecified impact and remote attack vectors involving a long list of ciphers. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3738 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2006-4339 CVE STATUS: Patched CVE SUMMARY: OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4339 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2006-4343 CVE STATUS: Patched CVE SUMMARY: The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4343 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2006-7250 CVE STATUS: Patched CVE SUMMARY: The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7250 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2007-3108 CVE STATUS: Patched CVE SUMMARY: The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys. CVSS v2 BASE SCORE: 1.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3108 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2007-4995 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8f allows remote attackers to execute arbitrary code via unspecified vectors. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4995 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2007-5135 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5135 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2008-0166 CVE STATUS: Patched CVE SUMMARY: OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0166 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2008-0891 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS server name extensions are enabled, allows remote attackers to cause a denial of service (crash) via a malformed Client Hello packet. NOTE: some of these details are obtained from third party information. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0891 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2008-1672 CVE STATUS: Patched CVE SUMMARY: OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of service (crash) via a TLS handshake that omits the Server Key Exchange message and uses "particular cipher suites," which triggers a NULL pointer dereference. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1672 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2008-1678 CVE STATUS: Patched CVE SUMMARY: Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1678 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2008-5077 CVE STATUS: Patched CVE SUMMARY: OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5077 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2008-7270 CVE STATUS: Patched CVE SUMMARY: OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-7270 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2009-0590 CVE STATUS: Patched CVE SUMMARY: The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0590 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2009-0591 CVE STATUS: Patched CVE SUMMARY: The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually invalid. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0591 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2009-0653 CVE STATUS: Patched CVE SUMMARY: OpenSSL, probably 0.9.6, does not verify the Basic Constraints for an intermediate CA-signed certificate, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack, a related issue to CVE-2002-0970. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0653 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2009-0789 CVE STATUS: Patched CVE SUMMARY: OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0789 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2009-1377 CVE STATUS: Patched CVE SUMMARY: The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitation bug." CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1377 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2009-1378 CVE STATUS: Patched CVE SUMMARY: Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak." CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1378 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2009-1379 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1379 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2009-1386 CVE STATUS: Patched CVE SUMMARY: ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1386 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2009-1387 CVE STATUS: Patched CVE SUMMARY: The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug." CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1387 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2009-2409 CVE STATUS: Patched CVE SUMMARY: The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2409 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2009-3245 CVE STATUS: Patched CVE SUMMARY: OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3245 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2009-3555 CVE STATUS: Patched CVE SUMMARY: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3555 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2009-4355 CVE STATUS: Patched CVE SUMMARY: Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4355 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2010-0433 CVE STATUS: Patched CVE SUMMARY: The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0433 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2010-0740 CVE STATUS: Patched CVE SUMMARY: The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f through 0.9.8m allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection that triggers a NULL pointer dereference, related to the minor version number. NOTE: some of these details are obtained from third party information. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0740 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2010-0742 CVE STATUS: Patched CVE SUMMARY: The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0742 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2010-0928 CVE STATUS: Patched CVE SUMMARY: OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack." CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0928 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2010-1633 CVE STATUS: Patched CVE SUMMARY: RSA verification recovery in the EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other applications, returns uninitialized memory upon failure, which might allow context-dependent attackers to bypass intended key requirements or obtain sensitive information via unspecified vectors. NOTE: some of these details are obtained from third party information. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1633 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2010-2939 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in the ssl3_get_key_exchange function in the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7, and possibly other versions, when using ECDH, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted private key with an invalid prime. NOTE: some sources refer to this as a use-after-free issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2939 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2010-3864 CVE STATUS: Patched CVE SUMMARY: Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography. CVSS v2 BASE SCORE: 7.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3864 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2010-4180 CVE STATUS: Patched CVE SUMMARY: OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4180 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2010-4252 CVE STATUS: Patched CVE SUMMARY: OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4252 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2010-5298 CVE STATUS: Patched CVE SUMMARY: Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5298 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2011-0014 CVE STATUS: Patched CVE SUMMARY: ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash), and possibly obtain sensitive information in applications that use OpenSSL, via a malformed ClientHello handshake message that triggers an out-of-bounds memory access, aka "OCSP stapling vulnerability." CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0014 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2011-1473 CVE STATUS: Patched CVE SUMMARY: OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1473 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2011-1945 CVE STATUS: Patched CVE SUMMARY: The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1945 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2011-3207 CVE STATUS: Patched CVE SUMMARY: crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize certain structure members, which makes it easier for remote attackers to bypass CRL validation by using a nextUpdate value corresponding to a time in the past. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3207 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2011-3210 CVE STATUS: Patched CVE SUMMARY: The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8r and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages from clients, which allows remote attackers to cause a denial of service (daemon crash) via out-of-order messages that violate the TLS protocol. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3210 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2011-4108 CVE STATUS: Patched CVE SUMMARY: The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4108 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2011-4109 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4109 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2011-4354 CVE STATUS: Patched CVE SUMMARY: crypto/bn/bn_nist.c in OpenSSL before 0.9.8h on 32-bit platforms, as used in stunnel and other products, in certain circumstances involving ECDH or ECDHE cipher suites, uses an incorrect modular reduction algorithm in its implementation of the P-256 and P-384 NIST elliptic curves, which allows remote attackers to obtain the private key of a TLS server via multiple handshake attempts. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4354 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2011-4576 CVE STATUS: Patched CVE SUMMARY: The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4576 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2011-4577 CVE STATUS: Patched CVE SUMMARY: OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4577 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2011-4619 CVE STATUS: Patched CVE SUMMARY: The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4619 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2011-5095 CVE STATUS: Patched CVE SUMMARY: The Diffie-Hellman key-exchange implementation in OpenSSL 0.9.8, when FIPS mode is enabled, does not properly validate a public parameter, which makes it easier for man-in-the-middle attackers to obtain the shared secret key by modifying network traffic, a related issue to CVE-2011-1923. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-5095 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2012-0027 CVE STATUS: Patched CVE SUMMARY: The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0027 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2012-0050 CVE STATUS: Patched CVE SUMMARY: OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, which allows remote attackers to cause a denial of service (crash) via unspecified vectors related to an out-of-bounds read. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4108. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0050 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2012-0884 CVE STATUS: Patched CVE SUMMARY: The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0884 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2012-1165 CVE STATUS: Patched CVE SUMMARY: The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1165 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2012-2110 CVE STATUS: Patched CVE SUMMARY: The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2110 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2012-2131 CVE STATUS: Patched CVE SUMMARY: Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL 0.9.8v allow remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-2110. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2131 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2012-2333 CVE STATUS: Patched CVE SUMMARY: Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2333 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2012-2686 CVE STATUS: Patched CVE SUMMARY: crypto/evp/e_aes_cbc_hmac_sha1.c in the AES-NI functionality in the TLS 1.1 and 1.2 implementations in OpenSSL 1.0.1 before 1.0.1d allows remote attackers to cause a denial of service (application crash) via crafted CBC data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2686 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2013-0166 CVE STATUS: Patched CVE SUMMARY: OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0166 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2013-0169 CVE STATUS: Patched CVE SUMMARY: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0169 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2013-4353 CVE STATUS: Patched CVE SUMMARY: The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4353 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2013-6449 CVE STATUS: Patched CVE SUMMARY: The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6449 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2013-6450 CVE STATUS: Patched CVE SUMMARY: The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6450 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-0076 CVE STATUS: Patched CVE SUMMARY: The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0076 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-0160 CVE STATUS: Patched CVE SUMMARY: The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0160 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-0195 CVE STATUS: Patched CVE SUMMARY: The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0195 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-0198 CVE STATUS: Patched CVE SUMMARY: The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0198 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-0221 CVE STATUS: Patched CVE SUMMARY: The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0221 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-0224 CVE STATUS: Patched CVE SUMMARY: OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0224 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-3470 CVE STATUS: Patched CVE SUMMARY: The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3470 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-3505 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3505 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-3506 CVE STATUS: Patched CVE SUMMARY: d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3506 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-3507 CVE STATUS: Patched CVE SUMMARY: Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3507 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-3508 CVE STATUS: Patched CVE SUMMARY: The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\0' characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3508 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-3509 CVE STATUS: Patched CVE SUMMARY: Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3509 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-3510 CVE STATUS: Patched CVE SUMMARY: The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote DTLS servers to cause a denial of service (NULL pointer dereference and client application crash) via a crafted handshake message in conjunction with a (1) anonymous DH or (2) anonymous ECDH ciphersuite. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3510 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-3511 CVE STATUS: Patched CVE SUMMARY: The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3511 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-3512 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in crypto/srp/srp_lib.c in the SRP implementation in OpenSSL 1.0.1 before 1.0.1i allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid SRP (1) g, (2) A, or (3) B parameter. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3512 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-3513 CVE STATUS: Patched CVE SUMMARY: Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted handshake message. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3513 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-3566 CVE STATUS: Patched CVE SUMMARY: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 3.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3566 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-3567 CVE STATUS: Patched CVE SUMMARY: Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3567 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-3568 CVE STATUS: Patched CVE SUMMARY: OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3568 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-3569 CVE STATUS: Patched CVE SUMMARY: The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3569 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-3570 CVE STATUS: Patched CVE SUMMARY: The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3570 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-3571 CVE STATUS: Patched CVE SUMMARY: OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3571 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-3572 CVE STATUS: Patched CVE SUMMARY: The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3572 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-5139 CVE STATUS: Patched CVE SUMMARY: The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before 1.0.1i allows remote SSL servers to cause a denial of service (NULL pointer dereference and client application crash) via a ServerHello message that includes an SRP ciphersuite without the required negotiation of that ciphersuite with the client. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5139 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-8176 CVE STATUS: Patched CVE SUMMARY: The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without considering that application data can arrive between a ChangeCipherSpec message and a Finished message, which allows remote DTLS peers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unexpected application data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8176 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2014-8275 CVE STATUS: Patched CVE SUMMARY: OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8275 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-0204 CVE STATUS: Patched CVE SUMMARY: The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0204 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-0205 CVE STATUS: Patched CVE SUMMARY: The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0205 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-0206 CVE STATUS: Patched CVE SUMMARY: Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0206 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-0207 CVE STATUS: Patched CVE SUMMARY: The dtls1_listen function in d1_lib.c in OpenSSL 1.0.2 before 1.0.2a does not properly isolate the state information of independent data streams, which allows remote attackers to cause a denial of service (application crash) via crafted DTLS traffic, as demonstrated by DTLS 1.0 traffic to a DTLS 1.2 server. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0207 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-0208 CVE STATUS: Patched CVE SUMMARY: The ASN.1 signature-verification implementation in the rsa_item_verify function in crypto/rsa/rsa_ameth.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted RSA PSS parameters to an endpoint that uses the certificate-verification feature. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0208 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-0209 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0209 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-0285 CVE STATUS: Patched CVE SUMMARY: The ssl3_client_hello function in s3_clnt.c in OpenSSL 1.0.2 before 1.0.2a does not ensure that the PRNG is seeded before proceeding with a handshake, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and then conducting a brute-force attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0285 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-0286 CVE STATUS: Patched CVE SUMMARY: The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly perform boolean-type comparisons, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0286 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-0287 CVE STATUS: Patched CVE SUMMARY: The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0287 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-0288 CVE STATUS: Patched CVE SUMMARY: The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow attackers to cause a denial of service (NULL pointer dereference and application crash) via an invalid certificate key. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0288 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-0289 CVE STATUS: Patched CVE SUMMARY: The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0289 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-0290 CVE STATUS: Patched CVE SUMMARY: The multi-block feature in the ssl3_write_bytes function in s3_pkt.c in OpenSSL 1.0.2 before 1.0.2a on 64-bit x86 platforms with AES NI support does not properly handle certain non-blocking I/O cases, which allows remote attackers to cause a denial of service (pointer corruption and application crash) via unspecified vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0290 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-0291 CVE STATUS: Patched CVE SUMMARY: The sigalgs implementation in t1_lib.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) by using an invalid signature_algorithms extension in the ClientHello message during a renegotiation. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0291 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-0292 CVE STATUS: Patched CVE SUMMARY: Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0292 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-0293 CVE STATUS: Patched CVE SUMMARY: The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0293 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-1787 CVE STATUS: Patched CVE SUMMARY: The ssl3_get_client_key_exchange function in s3_srvr.c in OpenSSL 1.0.2 before 1.0.2a, when client authentication and an ephemeral Diffie-Hellman ciphersuite are enabled, allows remote attackers to cause a denial of service (daemon crash) via a ClientKeyExchange message with a length of zero. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1787 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-1788 CVE STATUS: Patched CVE SUMMARY: The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1788 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-1789 CVE STATUS: Patched CVE SUMMARY: The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication with a custom verification callback. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1789 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-1790 CVE STATUS: Patched CVE SUMMARY: The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1790 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-1791 CVE STATUS: Patched CVE SUMMARY: Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1791 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-1792 CVE STATUS: Patched CVE SUMMARY: The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1792 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-1793 CVE STATUS: Patched CVE SUMMARY: The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1793 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-1794 CVE STATUS: Patched CVE SUMMARY: The ssl3_get_key_exchange function in ssl/s3_clnt.c in OpenSSL 1.0.2 before 1.0.2e allows remote servers to cause a denial of service (segmentation fault) via a zero p value in an anonymous Diffie-Hellman (DH) ServerKeyExchange message. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1794 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-3193 CVE STATUS: Patched CVE SUMMARY: The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3193 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-3194 CVE STATUS: Patched CVE SUMMARY: crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3194 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-3195 CVE STATUS: Patched CVE SUMMARY: The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3195 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-3196 CVE STATUS: Patched CVE SUMMARY: ssl/s3_clnt.c in OpenSSL 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1p, and 1.0.2 before 1.0.2d, when used for a multi-threaded client, writes the PSK identity hint to an incorrect data structure, which allows remote servers to cause a denial of service (race condition and double free) via a crafted ServerKeyExchange message. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3196 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-3197 CVE STATUS: Patched CVE SUMMARY: ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3197 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-3216 CVE STATUS: Patched CVE SUMMARY: Race condition in a certain Red Hat patch to the PRNG lock implementation in the ssleay_rand_bytes function in OpenSSL, as distributed in openssl-1.0.1e-25.el7 in Red Hat Enterprise Linux (RHEL) 7 and other products, allows remote attackers to cause a denial of service (application crash) by establishing many TLS sessions to a multithreaded server, leading to use of a negative value for a certain length field. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3216 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2015-4000 CVE STATUS: Patched CVE SUMMARY: The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4000 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-0701 CVE STATUS: Patched CVE SUMMARY: The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0701 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-0702 CVE STATUS: Patched CVE SUMMARY: The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0702 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-0703 CVE STATUS: Patched CVE SUMMARY: The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0703 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-0704 CVE STATUS: Patched CVE SUMMARY: An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0704 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-0705 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0705 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-0797 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0797 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-0798 CVE STATUS: Patched CVE SUMMARY: Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto/srp/srp_vfy.c. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0798 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-0799 CVE STATUS: Patched CVE SUMMARY: The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0799 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-0800 CVE STATUS: Patched CVE SUMMARY: The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0800 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-2105 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2105 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-2106 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2106 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-2107 CVE STATUS: Patched CVE SUMMARY: The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2107 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-2108 CVE STATUS: Patched CVE SUMMARY: The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2108 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-2109 CVE STATUS: Patched CVE SUMMARY: The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2109 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-2176 CVE STATUS: Patched CVE SUMMARY: The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 8.2 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2176 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-2177 CVE STATUS: Patched CVE SUMMARY: OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2177 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-2178 CVE STATUS: Patched CVE SUMMARY: The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2178 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-2179 CVE STATUS: Patched CVE SUMMARY: The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2179 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-2180 CVE STATUS: Patched CVE SUMMARY: The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the "openssl ts" command. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2180 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-2181 CVE STATUS: Patched CVE SUMMARY: The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2181 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-2182 CVE STATUS: Patched CVE SUMMARY: The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2182 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-2183 CVE STATUS: Patched CVE SUMMARY: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2183 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-2842 CVE STATUS: Patched CVE SUMMARY: The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2842 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-6302 CVE STATUS: Patched CVE SUMMARY: The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6302 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-6303 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6303 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-6304 CVE STATUS: Patched CVE SUMMARY: Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6304 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-6305 CVE STATUS: Patched CVE SUMMARY: The ssl3_read_bytes function in record/rec_layer_s3.c in OpenSSL 1.1.0 before 1.1.0a allows remote attackers to cause a denial of service (infinite loop) by triggering a zero-length record in an SSL_peek call. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6305 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-6306 CVE STATUS: Patched CVE SUMMARY: The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6306 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-6307 CVE STATUS: Patched CVE SUMMARY: The state-machine implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted TLS messages, related to statem/statem.c and statem/statem_lib.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6307 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-6308 CVE STATUS: Patched CVE SUMMARY: statem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted DTLS messages. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6308 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-6309 CVE STATUS: Patched CVE SUMMARY: statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6309 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-7052 CVE STATUS: Patched CVE SUMMARY: crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7052 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-7053 CVE STATUS: Patched CVE SUMMARY: In OpenSSL 1.1.0 before 1.1.0c, applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings. Only CHOICE structures using a callback which do not handle NULL value are affected. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7053 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-7054 CVE STATUS: Patched CVE SUMMARY: In OpenSSL 1.1.0 before 1.1.0c, TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7054 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-7055 CVE STATUS: Patched CVE SUMMARY: There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7055 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-7056 CVE STATUS: Patched CVE SUMMARY: A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7056 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2016-8610 CVE STATUS: Patched CVE SUMMARY: A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8610 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2017-3730 CVE STATUS: Patched CVE SUMMARY: In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3730 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2017-3731 CVE STATUS: Patched CVE SUMMARY: If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3731 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2017-3732 CVE STATUS: Patched CVE SUMMARY: There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3732 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2017-3733 CVE STATUS: Patched CVE SUMMARY: During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3733 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2017-3735 CVE STATUS: Patched CVE SUMMARY: While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3735 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2017-3736 CVE STATUS: Patched CVE SUMMARY: There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3736 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2017-3737 CVE STATUS: Patched CVE SUMMARY: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3737 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2017-3738 CVE STATUS: Patched CVE SUMMARY: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it becomes available. The fix is also available in commit e502cc86d in the OpenSSL git repository. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-3738 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2018-0732 CVE STATUS: Patched CVE SUMMARY: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0732 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2018-0733 CVE STATUS: Patched CVE SUMMARY: Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0733 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2018-0734 CVE STATUS: Patched CVE SUMMARY: The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0734 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2018-0735 CVE STATUS: Patched CVE SUMMARY: The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0735 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2018-0737 CVE STATUS: Patched CVE SUMMARY: The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0737 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2018-0739 CVE STATUS: Patched CVE SUMMARY: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0739 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2018-5407 CVE STATUS: Patched CVE SUMMARY: Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5407 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2019-1543 CVE STATUS: Patched CVE SUMMARY: ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1c (Affected 1.1.1-1.1.1b). Fixed in OpenSSL 1.1.0k (Affected 1.1.0-1.1.0j). CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1543 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2019-1547 CVE STATUS: Patched CVE SUMMARY: Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1547 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2019-1549 CVE STATUS: Patched CVE SUMMARY: OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1549 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2019-1551 CVE STATUS: Patched CVE SUMMARY: There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1551 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2019-1552 CVE STATUS: Patched CVE SUMMARY: OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1552 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2019-1559 CVE STATUS: Patched CVE SUMMARY: If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1559 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2019-1563 CVE STATUS: Patched CVE SUMMARY: In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1563 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2020-1967 CVE STATUS: Patched CVE SUMMARY: Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1967 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2020-1968 CVE STATUS: Patched CVE SUMMARY: The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1968 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2020-1971 CVE STATUS: Patched CVE SUMMARY: The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1971 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2021-23839 CVE STATUS: Patched CVE SUMMARY: OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this issue. In order to be vulnerable a 1.0.2 server must: 1) have configured SSLv2 support at compile time (this is off by default), 2) have configured SSLv2 support at runtime (this is off by default), 3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite list) OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.0.2y (Affected 1.0.2s-1.0.2x). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-23839 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2021-23840 CVE STATUS: Patched CVE SUMMARY: Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-23840 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2021-23841 CVE STATUS: Patched CVE SUMMARY: The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-23841 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2021-3449 CVE STATUS: Patched CVE SUMMARY: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3449 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2021-3450 CVE STATUS: Patched CVE SUMMARY: The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j). CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3450 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2021-3711 CVE STATUS: Patched CVE SUMMARY: In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3711 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2021-3712 CVE STATUS: Patched CVE SUMMARY: ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y). CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3712 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2021-4044 CVE STATUS: Patched CVE SUMMARY: Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses. This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. By combining the two issues an attacker could induce incorrect, application dependent behaviour. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4044 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2021-4160 CVE STATUS: Patched CVE SUMMARY: There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.0. It was addressed in the releases of 1.1.1m and 3.0.1 on the 15th of December 2021. For the 1.0.2 release it is addressed in git commit 6fc1aaaf3 that is available to premium support customers only. It will be made available in 1.0.2zc when it is released. The issue only affects OpenSSL on MIPS platforms. Fixed in OpenSSL 3.0.1 (Affected 3.0.0). Fixed in OpenSSL 1.1.1m (Affected 1.1.1-1.1.1l). Fixed in OpenSSL 1.0.2zc-dev (Affected 1.0.2-1.0.2zb). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4160 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2022-0778 CVE STATUS: Patched CVE SUMMARY: The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0778 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2022-1292 CVE STATUS: Patched CVE SUMMARY: The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd). CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1292 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2022-1343 CVE STATUS: Patched CVE SUMMARY: The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of `OCSP_basic_verify` will not use the OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL "ocsp" application. When verifying an ocsp response with the "-no_cert_checks" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1343 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2022-1434 CVE STATUS: Patched CVE SUMMARY: The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint will always be rejected by the recipient and the connection will fail at that point. Many application protocols require data to be sent from the client to the server first. Therefore, in such a case, only an OpenSSL 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. If both endpoints are OpenSSL 3.0 then the attacker could modify data being sent in both directions. In this case both clients and servers could be affected, regardless of the application protocol. Note that in the absence of an attacker this bug means that an OpenSSL 3.0 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete the handshake when using this ciphersuite. The confidentiality of data is not impacted by this issue, i.e. an attacker cannot decrypt data that has been encrypted using this ciphersuite - they can only modify it. In order for this attack to work both endpoints must legitimately negotiate the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in OpenSSL 3.0, and is not available within the default provider or the default ciphersuite list. This ciphersuite will never be used if TLSv1.3 has been negotiated. In order for an OpenSSL 3.0 endpoint to use this ciphersuite the following must have occurred: 1) OpenSSL must have been compiled with the (non-default) compile time option enable-weak-ssl-ciphers 2) OpenSSL must have had the legacy provider explicitly loaded (either through application code or via configuration) 3) The ciphersuite must have been explicitly added to the ciphersuite list 4) The libssl security level must have been set to 0 (default is 1) 5) A version of SSL/TLS below TLSv1.3 must have been negotiated 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any others that both endpoints have in common Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1434 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2022-1473 CVE STATUS: Patched CVE SUMMARY: The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. The function was added in the OpenSSL 3.0 version thus older releases are not affected by the issue. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1473 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2022-2068 CVE STATUS: Patched CVE SUMMARY: In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze). CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2068 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2022-2097 CVE STATUS: Patched CVE SUMMARY: AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2097 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2022-2274 CVE STATUS: Patched CVE SUMMARY: The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2274 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2022-3358 CVE STATUS: Patched CVE SUMMARY: OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3358 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2022-3602 CVE STATUS: Patched CVE SUMMARY: A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to upgrade to a new version as soon as possible. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. Fixed in OpenSSL 3.0.7 (Affected 3.0.0,3.0.1,3.0.2,3.0.3,3.0.4,3.0.5,3.0.6). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3602 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2022-3786 CVE STATUS: Patched CVE SUMMARY: A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3786 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2022-3996 CVE STATUS: Patched CVE SUMMARY: If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Update (31 March 2023): The description of the policy processing enablement was corrected based on CVE-2023-0466. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3996 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2022-4203 CVE STATUS: Patched CVE SUMMARY: A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. The read buffer overrun might result in a crash which could lead to a denial of service attack. In theory it could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext) although we are not aware of any working exploit leading to memory contents disclosure as of the time of release of this advisory. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4203 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2022-4304 CVE STATUS: Patched CVE SUMMARY: A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4304 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2022-4450 CVE STATUS: Patched CVE SUMMARY: The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4450 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2023-0215 CVE STATUS: Patched CVE SUMMARY: The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0215 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2023-0216 CVE STATUS: Patched CVE SUMMARY: An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0216 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2023-0217 CVE STATUS: Patched CVE SUMMARY: An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted sources which could allow an attacker to cause a denial of service attack. The TLS implementation in OpenSSL does not call this function but applications might call the function if there are additional security requirements imposed by standards such as FIPS 140-3. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0217 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2023-0286 CVE STATUS: Patched CVE SUMMARY: There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0286 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2023-0401 CVE STATUS: Patched CVE SUMMARY: A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash. The unavailability of an algorithm can be caused by using FIPS enabled configuration of providers or more commonly by not loading the legacy provider. PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions however third party applications would be affected if they call these functions to verify signatures on untrusted data. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0401 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2023-0464 CVE STATUS: Patched CVE SUMMARY: A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0464 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2023-0465 CVE STATUS: Patched CVE SUMMARY: Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0465 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2023-0466 CVE STATUS: Patched CVE SUMMARY: The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0466 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2023-1255 CVE STATUS: Patched CVE SUMMARY: Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash. Impact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM platform can crash in rare circumstances. The AES-XTS algorithm is usually used for disk encryption. The AES-XTS cipher decryption implementation for 64 bit ARM platform will read past the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16 byte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext buffer is unmapped, this will trigger a crash which results in a denial of service. If an attacker can control the size and location of the ciphertext buffer being decrypted by an application using AES-XTS on 64 bit ARM, the application is affected. This is fairly unlikely making this issue a Low severity one. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1255 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2023-2650 CVE STATUS: Patched CVE SUMMARY: Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service. An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods. When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*). With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms. Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data. Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low. In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature. The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication. In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2650 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2023-2975 CVE STATUS: Patched CVE SUMMARY: Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be misled by removing, adding or reordering such empty entries as these are ignored by the OpenSSL implementation. We are currently unaware of any such applications. The AES-SIV algorithm allows for authentication of multiple associated data entries along with the encryption. To authenticate empty data the application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as the output buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL just returns success for such a call instead of performing the associated data authentication operation. The empty data thus will not be authenticated. As this issue does not affect non-empty associated data authentication and we expect it to be rare for an application to use empty associated data entries this is qualified as Low severity issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2975 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2023-3446 CVE STATUS: Patched CVE SUMMARY: Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ('p' parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulernable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3446 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2023-3817 CVE STATUS: Patched CVE SUMMARY: Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3817 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2023-4807 CVE STATUS: Patched CVE SUMMARY: Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions. Impact summary: If in an application that uses the OpenSSL library an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL does not save the contents of non-volatile XMM registers on Windows 64 platform when calculating the MAC of data larger than 64 bytes. Before returning to the caller all the XMM registers are set to zero rather than restoring their previous content. The vulnerable code is used only on newer x86_64 processors supporting the AVX512-IFMA instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However given the contents of the registers are just zeroized so the attacker cannot put arbitrary values inside, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3 and a malicious client can influence whether this AEAD cipher is used by the server. This implies that server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. As a workaround the AVX512-IFMA instructions support can be disabled at runtime by setting the environment variable OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000 The FIPS provider is not affected by this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4807 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2023-5363 CVE STATUS: Patched CVE SUMMARY: Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB. For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse. Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently assessed as security critical. Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary. OpenSSL 3.1 and 3.0 are vulnerable to this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5363 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2023-5678 CVE STATUS: Patched CVE SUMMARY: Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5678 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2023-6129 CVE STATUS: Patched CVE SUMMARY: Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. Impact summary: If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs restores the contents of vector registers in a different order than they are saved. Thus the contents of some of these vector registers are corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3. If this cipher is enabled on the server a malicious client can influence whether this AEAD cipher is used. This implies that TLS server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6129 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2024-0727 CVE STATUS: Patched CVE SUMMARY: Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0727 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2024-41996 CVE STATUS: Patched CVE SUMMARY: Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41996 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2024-6119 CVE STATUS: Patched CVE SUMMARY: Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-6119 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2025-11187 CVE STATUS: Patched CVE SUMMARY: Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash leading to Denial of Service for an application that parses untrusted PKCS#12 files. The buffer overflow may also potentially enable code execution depending on platform mitigations. When verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2 salt and keylength parameters from the file are used without validation. If the value of keylength exceeds the size of the fixed stack buffer used for the derived key (64 bytes), the key derivation will overflow the buffer. The overflow length is attacker-controlled. Also, if the salt parameter is not an OCTET STRING type this can lead to invalid or NULL pointer dereference. Exploiting this issue requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For this reason the issue was assessed as Moderate severity. The FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as PKCS#12 processing is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue. OpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do not support PBMAC1 in PKCS#12. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-11187 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2025-15467 CVE STATUS: Unpatched CVE SUMMARY: Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-15467 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2025-15468 CVE STATUS: Patched CVE SUMMARY: Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service. Some applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointer dereference will happen if the examined cipher ID is unknown or unsupported. As it is not very common to call this function in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue was assessed as Low severity. The vulnerable code was introduced in the 3.2 version with the addition of the QUIC protocol support. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the QUIC implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-15468 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2025-15469 CVE STATUS: Patched CVE SUMMARY: Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. Impact summary: A user signing or verifying files larger than 16MB with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16MB remains unauthenticated. When the 'openssl dgst' command is used with algorithms that only support one-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input is buffered with a 16MB limit. If the input exceeds this limit, the tool silently truncates to the first 16MB and continues without signaling an error, contrary to what the documentation states. This creates an integrity gap where trailing bytes can be modified without detection if both signing and verification are performed using the same affected codepath. The issue affects only the command-line tool behavior. Verifiers that process the full message using library APIs will reject the signature, so the risk primarily affects workflows that both sign and verify with the affected 'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and library users are unaffected. The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the command-line tools are outside the OpenSSL FIPS module boundary. OpenSSL 3.5 and 3.6 are vulnerable to this issue. OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-15469 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2025-4575 CVE STATUS: Patched CVE SUMMARY: Issue summary: Use of -addreject option with the openssl x509 application adds a trusted use instead of a rejected use for a certificate. Impact summary: If a user intends to make a trusted certificate rejected for a particular use it will be instead marked as trusted for that use. A copy & paste error during minor refactoring of the code introduced this issue in the OpenSSL 3.5 version. If, for example, a trusted CA certificate should be trusted only for the purpose of authenticating TLS servers but not for CMS signature verification and the CMS signature verification is intended to be marked as rejected with the -addreject option, the resulting CA certificate will be trusted for CMS signature verification purpose instead. Only users which use the trusted certificate format who use the openssl x509 command line application to add rejected uses are affected by this issue. The issues affecting only the command line application are considered to be Low severity. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 are also not affected by this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-4575 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2025-66199 CVE STATUS: Patched CVE SUMMARY: Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. Impact summary: An attacker can cause per-connection memory allocations of up to approximately 22 MiB and extra CPU work, potentially leading to service degradation or resource exhaustion (Denial of Service). In affected configurations, the peer-supplied uncompressed certificate length from a CompressedCertificate message is used to grow a heap buffer prior to decompression. This length is not bounded by the max_cert_list setting, which otherwise constrains certificate message sizes. An attacker can exploit this to cause large per-connection allocations followed by handshake failure. No memory corruption or information disclosure occurs. This issue only affects builds where TLS 1.3 certificate compression is compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression algorithm (brotli, zlib, or zstd) is available, and where the compression extension is negotiated. Both clients receiving a server CompressedCertificate and servers in mutual TLS scenarios receiving a client CompressedCertificate are affected. Servers that do not request client certificates are not vulnerable to client-initiated attacks. Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION to disable receiving compressed certificates. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the TLS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-66199 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2025-68160 CVE STATUS: Patched CVE SUMMARY: Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-68160 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2025-69418 CVE STATUS: Patched CVE SUMMARY: Issue summary: When using the low-level OCB API directly with AES-NI or
other hardware-accelerated code paths, inputs whose length is not a multiple
of 16 bytes can leave the final partial block unencrypted and unauthenticated.

Impact summary: The trailing 1-15 bytes of a message may be exposed in
cleartext on encryption and are not covered by the authentication tag,
allowing an attacker to read or tamper with those bytes without detection.

The low-level OCB encrypt and decrypt routines in the hardware-accelerated
stream path process full 16-byte blocks but do not advance the input/output
pointers. The subsequent tail-handling code then operates on the original
base pointers, effectively reprocessing the beginning of the buffer while
leaving the actual trailing bytes unprocessed. The authentication checksum
also excludes the true tail bytes.

However, typical OpenSSL consumers using EVP are not affected because the
higher-level EVP and provider OCB implementations split inputs so that full
blocks and trailing partial blocks are processed in separate calls, avoiding
the problematic code path. Additionally, TLS does not use OCB ciphersuites.
The vulnerability only affects applications that call the low-level
CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with
non-block-aligned lengths in a single call on hardware-accelerated builds.
For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected
by this issue, as OCB mode is not a FIPS-approved algorithm.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-69418 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2025-69419 CVE STATUS: Patched CVE SUMMARY: Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-69419 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2025-69420 CVE STATUS: Patched CVE SUMMARY: Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-69420 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2025-69421 CVE STATUS: Patched CVE SUMMARY: Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-69421 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2026-22795 CVE STATUS: Patched CVE SUMMARY: Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-22795 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2026-22796 CVE STATUS: Patched CVE SUMMARY: Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-22796 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2026-2673 CVE STATUS: Patched CVE SUMMARY: Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the 'DEFAULT' keyword. Impact summary: A less preferred key exchange may be used even when a more preferred group is supported by both client and server, if the group was not included among the client's initial predicated keyshares. This will sometimes be the case with the new hybrid post-quantum groups, if the client chooses to defer their use until specifically requested by the server. If an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to interpolate the built-in default group list into its own configuration, perhaps adding or removing specific elements, then an implementation defect causes the 'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups were treated as a single sufficiently secure 'tuple', with the server not sending a Hello Retry Request (HRR) even when a group in a more preferred tuple was mutually supported. As a result, the client and server might fail to negotiate a mutually supported post-quantum key agreement group, such as 'X25519MLKEM768', if the client's configuration results in only 'classical' groups (such as 'X25519' being the only ones in the client's initial keyshare prediction). OpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS 1.3 key agreement group on TLS servers. The old syntax had a single 'flat' list of groups, and treated all the supported groups as sufficiently secure. If any of the keyshares predicted by the client were supported by the server the most preferred among these was selected, even if other groups supported by the client, but not included in the list of predicted keyshares would have been more preferred, if included. The new syntax partitions the groups into distinct 'tuples' of roughly equivalent security. Within each tuple the most preferred group included among the client's predicted keyshares is chosen, but if the client supports a group from a more preferred tuple, but did not predict any corresponding keyshares, the server will ask the client to retry the ClientHello (by issuing a Hello Retry Request or HRR) with the most preferred mutually supported group. The above works as expected when the server's configuration uses the built-in default group list, or explicitly defines its own list by directly defining the various desired groups and group 'tuples'. No OpenSSL FIPS modules are affected by this issue, the code in question lies outside the FIPS boundary. OpenSSL 3.6 and 3.5 are vulnerable to this issue. OpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released. OpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released. OpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-2673 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2026-28386 CVE STATUS: Patched CVE SUMMARY: Issue summary: Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES support can trigger an out-of-bounds read of up to 15 bytes when processing partial cipher blocks. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not written to output. The vulnerable code path is only reached when processing partial blocks (when a previous call left an incomplete block and the current call provides fewer bytes than needed to complete it). Additionally, the input buffer must be positioned at a page boundary with the following page unmapped. CFB mode is not used in TLS/DTLS protocols, which use CBC, GCM, CCM, or ChaCha20-Poly1305 instead. For these reasons the issue was assessed as Low severity according to our Security Policy. Only x86-64 systems with AVX-512 and VAES instruction support are affected. Other architectures and systems without VAES support use different code paths that are not affected. OpenSSL FIPS module in 3.6 version is affected by this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-28386 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2026-28387 CVE STATUS: Patched CVE SUMMARY: Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-28387 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2026-28388 CVE STATUS: Patched CVE SUMMARY: Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference. Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-28388 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2026-28389 CVE STATUS: Patched CVE SUMMARY: Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-28389 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2026-28390 CVE STATUS: Patched CVE SUMMARY: Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-28390 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2026-31789 CVE STATUS: Patched CVE SUMMARY: Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow. Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-31789 LAYER: meta PACKAGE NAME: openssl PACKAGE VERSION: 3.2.6 CVE: CVE-2026-31790 CVE STATUS: Patched CVE SUMMARY: Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker. RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced. If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext. As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-31790 LAYER: meta PACKAGE NAME: ninja PACKAGE VERSION: 1.11.1 CVE: CVE-2014-4550 CVE STATUS: Patched CVE SUMMARY: Cross-site scripting (XSS) vulnerability in preview-shortcode-external.php in the Shortcode Ninja plugin 1.4 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the shortcode parameter. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4550 LAYER: meta PACKAGE NAME: ninja PACKAGE VERSION: 1.11.1 CVE: CVE-2021-4336 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: This is a different Ninja CVE SUMMARY: A vulnerability was found in ITRS Group monitor-ninja up to 2021.11.1. It has been rated as critical. Affected by this issue is some unknown functionality of the file modules/reports/models/scheduled_reports.php. The manipulation leads to sql injection. Upgrading to version 2021.11.30 is able to address this issue. The name of the patch is 6da9080faec9bca1ca5342386c0421dca0a6c0cc. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-230084. CVSS v2 BASE SCORE: 5.2 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4336 LAYER: meta PACKAGE NAME: ninja PACKAGE VERSION: 1.11.1 CVE: CVE-2024-36823 CVE STATUS: Patched CVE SUMMARY: The encrypt() function of Ninja Core v7.0.0 was discovered to use a weak cryptographic algorithm, leading to a possible leakage of sensitive information. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36823 LAYER: meta PACKAGE NAME: apr-util PACKAGE VERSION: 1.6.3 CVE: CVE-2009-0023 CVE STATUS: Patched CVE SUMMARY: The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a .htaccess file used with the Apache HTTP Server, (2) the SVNMasterURI directive in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2 module for the Apache HTTP Server, or (4) an application that uses the libapreq2 library, which triggers a heap-based buffer underflow. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0023 LAYER: meta PACKAGE NAME: apr-util PACKAGE VERSION: 1.6.3 CVE: CVE-2009-1955 CVE STATUS: Patched CVE SUMMARY: The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1955 LAYER: meta PACKAGE NAME: apr-util PACKAGE VERSION: 1.6.3 CVE: CVE-2009-1956 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1956 LAYER: meta PACKAGE NAME: apr-util PACKAGE VERSION: 1.6.3 CVE: CVE-2009-2412 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows. NOTE: some of these details are obtained from third party information. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2412 LAYER: meta PACKAGE NAME: apr-util PACKAGE VERSION: 1.6.3 CVE: CVE-2010-1623 CVE STATUS: Patched CVE SUMMARY: Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors related to the destruction of an APR bucket. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1623 LAYER: meta PACKAGE NAME: apr-util PACKAGE VERSION: 1.6.3 CVE: CVE-2011-1928 CVE STATUS: Patched CVE SUMMARY: The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used. NOTE: this issue exists because of an incorrect fix for CVE-2011-0419. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1928 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2011-2485 CVE STATUS: Patched CVE SUMMARY: The gdk_pixbuf__gif_image_load function in gdk-pixbuf/io-gif.c in gdk-pixbuf before 2.23.5 does not properly handle certain return values, which allows remote attackers to cause a denial of service (memory consumption) via a crafted GIF image file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2485 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2011-2897 CVE STATUS: Patched CVE SUMMARY: gdk-pixbuf through 2.31.1 has GIF loader buffer overflow when initializing decompression tables due to an input validation flaw CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2897 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2012-2370 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the read_bitmap_file_data function in io-xbm.c in gdk-pixbuf before 2.26.1 allow remote attackers to cause a denial of service (application crash) via a negative (1) height or (2) width in an XBM file, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2370 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2015-4491 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the make_filter_table function in pixops/pixops.c in gdk-pixbuf before 2.31.5, as used in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 on Linux, Google Chrome on Linux, and other products, allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow and application crash) via crafted bitmap dimensions that are mishandled during scaling. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4491 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2015-7673 CVE STATUS: Patched CVE SUMMARY: io-tga.c in gdk-pixbuf before 2.32.0 uses heap memory after its allocation failed, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) and possibly execute arbitrary code via a crafted Truevision TGA (TARGA) file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7673 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2015-7674 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the pixops_scale_nearest function in pixops/pixops.c in gdk-pixbuf before 2.32.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted GIF image file, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7674 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2015-8875 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the (1) pixops_composite_nearest, (2) pixops_composite_color_nearest, and (3) pixops_process functions in pixops/pixops.c in gdk-pixbuf before 2.33.1 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted image, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8875 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2016-6352 CVE STATUS: Patched CVE SUMMARY: The OneLine32 function in io-ico.c in gdk-pixbuf before 2.35.3 allows remote attackers to cause a denial of service (out-of-bounds write and crash) via crafted dimensions in an ICO file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6352 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2017-1000422 CVE STATUS: Patched CVE SUMMARY: Gnome gdk-pixbuf 2.36.8 and older is vulnerable to several integer overflow in the gif_get_lzw function resulting in memory corruption and potential code execution CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000422 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2017-12447 CVE STATUS: Patched CVE SUMMARY: GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus 3.14.3 on Ubuntu 16.04, allows attackers to cause a denial of service (stack corruption) or possibly have unspecified other impact via a crafted file folder. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12447 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2017-2862 CVE STATUS: Patched CVE SUMMARY: An exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file or url to trigger this vulnerability. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2862 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2017-2870 CVE STATUS: Patched CVE SUMMARY: An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2870 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2017-6311 CVE STATUS: Patched CVE SUMMARY: gdk-pixbuf-thumbnailer.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to printing an error message. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6311 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2017-6312 CVE STATUS: Patched CVE SUMMARY: Integer overflow in io-ico.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (segmentation fault and application crash) via a crafted image entry offset in an ICO file, which triggers an out-of-bounds read, related to compiler optimizations. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6312 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2017-6313 CVE STATUS: Patched CVE SUMMARY: Integer underflow in the load_resources function in io-icns.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (out-of-bounds read and program crash) via a crafted image entry size in an ICO file. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6313 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2017-6314 CVE STATUS: Patched CVE SUMMARY: The make_available_at_least function in io-tiff.c in gdk-pixbuf allows context-dependent attackers to cause a denial of service (infinite loop) via a large TIFF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6314 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2020-29385 CVE STATUS: Patched CVE SUMMARY: GNOME gdk-pixbuf (aka GdkPixbuf) before 2.42.2 allows a denial of service (infinite loop) in lzw.c in the function write_indexes. if c->self_code equals 10, self->code_table[10].extends will assign the value 11 to c. The next execution in the loop will assign self->code_table[11].extends to c, which will give the value of 10. This will make the loop run infinitely. This bug can, for example, be triggered by calling this function with a GIF image with LZW compression that is crafted in a special way. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29385 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2021-20240 CVE STATUS: Patched CVE SUMMARY: A flaw was found in gdk-pixbuf in versions before 2.42.0. An integer wraparound leading to an out of bounds write can occur when a crafted GIF image is loaded. An attacker may cause applications to crash or could potentially execute code on the victim system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVSS v2 BASE SCORE: 8.3 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20240 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2021-46829 CVE STATUS: Patched CVE SUMMARY: GNOME GdkPixbuf (aka GDK-PixBuf) before 2.42.8 allows a heap-based buffer overflow when compositing or clearing frames in GIF files, as demonstrated by io-gif-animation.c composite_frame. This overflow is controllable and could be abused for code execution, especially on 32-bit systems. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46829 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2025-7345 CVE STATUS: Patched CVE SUMMARY: A flaw exists in gdk‑pixbuf within the gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in glib’s g_base64_encode_step (glib/gbase64.c). When processing maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding, allowing out-of-bounds reads from heap memory, potentially causing application crashes or arbitrary code execution. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-7345 LAYER: meta PACKAGE NAME: gdk-pixbuf PACKAGE VERSION: 2.42.12 CVE: CVE-2026-5201 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the gdk-pixbuf library. This heap-based buffer overflow vulnerability occurs in the JPEG image loader due to improper validation of color component counts when processing a specially crafted JPEG image. A remote attacker can exploit this flaw without user interaction, for example, via thumbnail generation. Successful exploitation leads to application crashes and denial of service (DoS) conditions. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5201 LAYER: meta-virtualization PACKAGE NAME: runc-opencontainers PACKAGE VERSION: 1.1.14+git CVE: CVE-2016-3697 CVE STATUS: Patched CVE SUMMARY: libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3697 LAYER: meta-virtualization PACKAGE NAME: runc-opencontainers PACKAGE VERSION: 1.1.14+git CVE: CVE-2019-16884 CVE STATUS: Patched CVE SUMMARY: runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16884 LAYER: meta-virtualization PACKAGE NAME: runc-opencontainers PACKAGE VERSION: 1.1.14+git CVE: CVE-2019-19921 CVE STATUS: Patched CVE SUMMARY: runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.) CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19921 LAYER: meta-virtualization PACKAGE NAME: runc-opencontainers PACKAGE VERSION: 1.1.14+git CVE: CVE-2019-5736 CVE STATUS: Patched CVE SUMMARY: runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5736 LAYER: meta-virtualization PACKAGE NAME: runc-opencontainers PACKAGE VERSION: 1.1.14+git CVE: CVE-2021-30465 CVE STATUS: Patched CVE SUMMARY: runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on a race condition. CVSS v2 BASE SCORE: 6.0 CVSS v3 BASE SCORE: 8.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-30465 LAYER: meta-virtualization PACKAGE NAME: runc-opencontainers PACKAGE VERSION: 1.1.14+git CVE: CVE-2021-43784 CVE STATUS: Patched CVE SUMMARY: runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug. CVSS v2 BASE SCORE: 6.0 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-43784 LAYER: meta-virtualization PACKAGE NAME: runc-opencontainers PACKAGE VERSION: 1.1.14+git CVE: CVE-2022-24769 CVE STATUS: Patched CVE SUMMARY: Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24769 LAYER: meta-virtualization PACKAGE NAME: runc-opencontainers PACKAGE VERSION: 1.1.14+git CVE: CVE-2022-29162 CVE STATUS: Patched CVE SUMMARY: runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29162 LAYER: meta-virtualization PACKAGE NAME: runc-opencontainers PACKAGE VERSION: 1.1.14+git CVE: CVE-2023-25809 CVE STATUS: Patched CVE SUMMARY: runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25809 LAYER: meta-virtualization PACKAGE NAME: runc-opencontainers PACKAGE VERSION: 1.1.14+git CVE: CVE-2023-27561 CVE STATUS: Patched CVE SUMMARY: runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-27561 LAYER: meta-virtualization PACKAGE NAME: runc-opencontainers PACKAGE VERSION: 1.1.14+git CVE: CVE-2023-28642 CVE STATUS: Patched CVE SUMMARY: runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28642 LAYER: meta-virtualization PACKAGE NAME: runc-opencontainers PACKAGE VERSION: 1.1.14+git CVE: CVE-2024-21626 CVE STATUS: Patched CVE SUMMARY: runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-21626 LAYER: meta-virtualization PACKAGE NAME: runc-opencontainers PACKAGE VERSION: 1.1.14+git CVE: CVE-2024-45310 CVE STATUS: Patched CVE SUMMARY: runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack's scope but the exact scope of protection hasn't been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3. Some workarounds are available. Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual user on the host (such as with rootless containers that don't use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though neither the extent to which the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack have been thoroughly tested. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45310 LAYER: meta-virtualization PACKAGE NAME: runc-opencontainers PACKAGE VERSION: 1.1.14+git CVE: CVE-2025-31133 CVE STATUS: Unpatched CVE SUMMARY: runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 7.3 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-31133 LAYER: meta-virtualization PACKAGE NAME: runc-opencontainers PACKAGE VERSION: 1.1.14+git CVE: CVE-2025-52565 CVE STATUS: Unpatched CVE SUMMARY: runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 8.4 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-52565 LAYER: meta-virtualization PACKAGE NAME: runc-opencontainers PACKAGE VERSION: 1.1.14+git CVE: CVE-2025-52881 CVE STATUS: Unpatched CVE SUMMARY: runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 7.3 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-52881 LAYER: meta PACKAGE NAME: pango PACKAGE VERSION: 1.52.1 CVE: CVE-2009-1194 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow, as demonstrated by a long document.location value in Firefox. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1194 LAYER: meta PACKAGE NAME: pango PACKAGE VERSION: 1.52.1 CVE: CVE-2010-0421 CVE STATUS: Patched CVE SUMMARY: Array index error in the hb_ot_layout_build_glyph_classes function in pango/opentype/hb-ot-layout.cc in Pango before 1.27.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted font file, related to building a synthetic Glyph Definition (aka GDEF) table by using this font's charmap and the Unicode property database. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0421 LAYER: meta PACKAGE NAME: pango PACKAGE VERSION: 1.52.1 CVE: CVE-2011-0020 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box for an FT_Bitmap object. CVSS v2 BASE SCORE: 7.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0020 LAYER: meta PACKAGE NAME: pango PACKAGE VERSION: 1.52.1 CVE: CVE-2011-0064 CVE STATUS: Patched CVE SUMMARY: The hb_buffer_ensure function in hb-buffer.c in HarfBuzz, as used in Pango 1.28.3, Firefox, and other products, does not verify that memory reallocations succeed, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via crafted OpenType font data that triggers use of an incorrect index. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0064 LAYER: meta PACKAGE NAME: pango PACKAGE VERSION: 1.52.1 CVE: CVE-2011-3193 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193 LAYER: meta PACKAGE NAME: pango PACKAGE VERSION: 1.52.1 CVE: CVE-2018-15120 CVE STATUS: Patched CVE SUMMARY: libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other products, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted text with invalid Unicode sequences. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15120 LAYER: meta PACKAGE NAME: pango PACKAGE VERSION: 1.52.1 CVE: CVE-2019-1010238 CVE STATUS: Patched CVE SUMMARY: Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when application pass invalid utf-8 strings to functions like pango_itemize. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010238 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2007-0998 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: The VNC server can expose host files uder some circumstances. We don't enable it by default. CVE SUMMARY: The VNC server implementation in QEMU, as used by Xen and possibly other environments, allows local users of a guest operating system to read arbitrary files on the host operating system via unspecified vectors related to QEMU monitor mode, as demonstrated by mapping files to a CDROM device. NOTE: some of these details are obtained from third party information. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0998 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2007-1320 CVE STATUS: Patched CVE SUMMARY: Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to "attempting to mark non-existent regions as dirty," aka the "bitblt" heap overflow. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1320 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2007-1321 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 "receive" integer signedness error. NOTE: this identifier was inadvertently used by some sources to cover multiple issues that were labeled "NE2000 network driver and the socket code," but separate identifiers have been created for the individual vulnerabilities since there are sometimes different fixes; see CVE-2007-5729 and CVE-2007-5730. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1321 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2007-1322 CVE STATUS: Patched CVE SUMMARY: QEMU 0.8.2 allows local users to halt a virtual machine by executing the icebp instruction. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1322 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2007-1366 CVE STATUS: Patched CVE SUMMARY: QEMU 0.8.2 allows local users to crash a virtual machine via the divisor operand to the aam instruction, as demonstrated by "aam 0x0," which triggers a divide-by-zero error. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1366 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2007-5729 CVE STATUS: Patched CVE SUMMARY: The NE2000 emulator in QEMU 0.8.2 allows local users to execute arbitrary code by writing Ethernet frames with a size larger than the MTU to the EN0_TCNT register, which triggers a heap-based buffer overflow in the slirp library, aka NE2000 "mtu" heap overflow. NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of "NE2000 network driver and the socket code," but this is the correct identifier for the mtu overflow vulnerability. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5729 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2007-5730 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to execute arbitrary code via crafted data in the "net socket listen" option, aka QEMU "net socket" heap overflow. NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of "NE2000 network driver and the socket code," but this is the correct identifier for the individual net socket listen vulnerability. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5730 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2007-6227 CVE STATUS: Patched CVE SUMMARY: QEMU 0.9.0 allows local users of a Windows XP SP2 guest operating system to overwrite the TranslationBlock (code_gen_buffer) buffer, and probably have unspecified other impacts related to an "overflow," via certain Windows executable programs, as demonstrated by qemu-dos.com. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6227 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2008-0928 CVE STATUS: Patched CVE SUMMARY: Qemu 0.9.1 and earlier does not perform range checks for block device read or write requests, which allows guest host users with root privileges to access arbitrary memory and escape the virtual machine. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0928 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2008-1945 CVE STATUS: Patched CVE SUMMARY: QEMU 0.9.0 does not properly handle changes to removable media, which allows guest OS users to read arbitrary files on the host OS by using the diskformat: parameter in the -usbdevice option to modify the disk-image header to identify a different format, a related issue to CVE-2008-2004. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1945 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2008-2004 CVE STATUS: Patched CVE SUMMARY: The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2004 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2008-2382 CVE STATUS: Patched CVE SUMMARY: The protocol_client_msg function in vnc.c in the VNC server in (1) Qemu 0.9.1 and earlier and (2) KVM kvm-79 and earlier allows remote attackers to cause a denial of service (infinite loop) via a certain message. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2382 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2008-4539 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the Cirrus VGA implementation in (1) KVM before kvm-82 and (2) QEMU on Debian GNU/Linux and Ubuntu might allow local users to gain privileges by using the VNC console for a connection, aka the LGD-54XX "bitblt" heap overflow. NOTE: this issue exists because of an incorrect fix for CVE-2007-1320. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4539 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2008-4553 CVE STATUS: Patched CVE SUMMARY: qemu-make-debian-root in qemu 0.9.1-5 on Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack on temporary files and directories. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4553 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2008-5714 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in monitor.c in Qemu 0.9.1 might make it easier for remote attackers to guess the VNC password, which is limited to seven characters where eight was intended. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5714 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2009-3616 CVE STATUS: Patched CVE SUMMARY: Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities. CVSS v2 BASE SCORE: 8.5 CVSS v3 BASE SCORE: 9.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3616 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2010-0297 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the usb_host_handle_control function in the USB passthrough handling implementation in usb-linux.c in QEMU before 0.11.1 allows guest OS users to cause a denial of service (guest OS crash or hang) or possibly execute arbitrary code on the host OS via a crafted USB packet. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0297 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2011-0011 CVE STATUS: Patched CVE SUMMARY: qemu-kvm before 0.11.0 disables VNC authentication when the password is cleared, which allows remote attackers to bypass authentication and establish VNC sessions. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0011 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2011-1750 CVE STATUS: Patched CVE SUMMARY: Multiple heap-based buffer overflows in the virtio-blk driver (hw/virtio-blk.c) in qemu-kvm 0.14.0 allow local guest users to cause a denial of service (guest crash) and possibly gain privileges via a (1) write request to the virtio_blk_handle_write function or (2) read request to the virtio_blk_handle_read function that is not properly aligned. CVSS v2 BASE SCORE: 7.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1750 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2011-1751 CVE STATUS: Patched CVE SUMMARY: The pciej_write function in hw/acpi_piix4.c in the PIIX4 Power Management emulation in qemu-kvm does not check if a device is hotpluggable before unplugging the PCI-ISA bridge, which allows privileged guest users to cause a denial of service (guest crash) and possibly execute arbitrary code by sending a crafted value to the 0xae08 (PCI_EJ_BASE) I/O port, which leads to a use-after-free related to "active qemu timers." CVSS v2 BASE SCORE: 7.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1751 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2011-2212 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the virtio subsystem in qemu-kvm 0.14.0 and earlier allows privileged guest users to cause a denial of service (guest crash) or gain privileges via a crafted indirect descriptor related to "virtqueue in and out requests." CVSS v2 BASE SCORE: 7.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2212 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2011-2527 CVE STATUS: Patched CVE SUMMARY: The change_process_uid function in os-posix.c in Qemu 0.14.0 and earlier does not properly drop group privileges when the -runas option is used, which allows local guest users to access restricted files on the host. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2527 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2011-3346 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in hw/scsi-disk.c in the SCSI subsystem in QEMU before 0.15.2, as used by Xen, might allow local guest users with permission to access the CD-ROM to cause a denial of service (guest crash) via a crafted SAI READ CAPACITY SCSI command. NOTE: this is only a vulnerability when root has manually modified certain permissions or ACLs. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3346 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2011-4111 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the ccid_card_vscard_handle_message function in hw/ccid-card-passthru.c in QEMU before 0.15.2 and 1.x before 1.0-rc4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted VSC_ATR message. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:H/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4111 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2012-2652 CVE STATUS: Patched CVE SUMMARY: The bdrv_open function in Qemu 1.0 does not properly handle the failure of the mkstemp function, when in snapshot node, which allows local users to overwrite or read arbitrary files via a symlink attack on an unspecified temporary file. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2652 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2012-3515 CVE STATUS: Patched CVE SUMMARY: Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a "device model's address space." CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3515 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2012-6075 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the e1000_receive function in the e1000 device driver (hw/e1000.c) in QEMU 1.3.0-rc2 and other versions, when the SBP and LPE flags are disabled, allows remote attackers to cause a denial of service (guest OS crash) and possibly execute arbitrary guest code via a large packet. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6075 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-2007 CVE STATUS: Patched CVE SUMMARY: The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, when started in daemon mode, uses weak permissions for certain files, which allows local users to read and write to these files. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2007 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-2016 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the matching host's qemu address space and thus increase their privileges on the host. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2016 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4148 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in the virtio_net_load function in hw/net/virtio-net.c in QEMU 1.x before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image, which triggers a buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4148 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4149 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in virtio_net_load function in net/virtio-net.c in QEMU 1.3.0 through 1.7.x before 1.7.2 might allow remote attackers to execute arbitrary code via a large MAC table. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4149 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4150 CVE STATUS: Patched CVE SUMMARY: The virtio_net_load function in hw/net/virtio-net.c in QEMU 1.5.0 through 1.7.x before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors in which the value of curr_queues is greater than max_queues, which triggers an out-of-bounds write. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4150 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4151 CVE STATUS: Patched CVE SUMMARY: The virtio_load function in virtio/virtio.c in QEMU 1.x before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds write. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4151 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4344 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the SCSI implementation in QEMU, as used in Xen, when a SCSI controller has more than 256 attached devices, allows local users to gain privileges via a small transfer buffer in a REPORT LUNS command. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4344 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4375 CVE STATUS: Patched CVE SUMMARY: The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before 4.3.1, and qemu 1.1 and other versions, allows local HVM guests to cause a denial of service (domain grant reference consumption) via unspecified vectors. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4375 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4377 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the virtio-pci implementation in Qemu 1.4.0 through 1.6.0 allows local users to cause a denial of service (daemon crash) by "hot-unplugging" a virtio device. CVSS v2 BASE SCORE: 2.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4377 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4526 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in hw/ide/ahci.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via vectors related to migrating ports. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4526 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4527 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in hw/timer/hpet.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via vectors related to the number of timers. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4527 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4529 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in hw/pci/pcie_aer.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large log_num value in a savevm image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4529 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4530 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4530 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4531 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in target-arm/machine.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative value in cpreg_vmstate_array_len in a savevm image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4531 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4532 CVE STATUS: Patched CVE SUMMARY: Qemu 1.1.2+dfsg to 2.1+dfsg suffers from a buffer overrun which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4532 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4533 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the pxa2xx_ssp_load function in hw/arm/pxa2xx.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted s->rx_level value in a savevm image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4533 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4534 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in hw/intc/openpic.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to IRQDest elements. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4534 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4535 CVE STATUS: Patched CVE SUMMARY: The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4535 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4536 CVE STATUS: Patched CVE SUMMARY: An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4536 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4537 CVE STATUS: Patched CVE SUMMARY: The ssi_sd_transfer function in hw/sd/ssi-sd.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted arglen value in a savevm image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4537 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4538 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in the ssd0323_load function in hw/display/ssd0323.c in QEMU before 1.7.2 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted (1) cmd_len, (2) row, or (3) col values; (4) row_start and row_end values; or (5) col_star and col_end values in a savevm image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4538 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4539 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4539 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4540 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in scoop_gpio_handler_update in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a large (1) prev_level, (2) gpio_level, or (3) gpio_dir value in a savevm image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4540 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4541 CVE STATUS: Patched CVE SUMMARY: The usb_device_post_load function in hw/usb/bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, related to a negative setup_len or setup_index value. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4541 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4542 CVE STATUS: Patched CVE SUMMARY: The virtio_scsi_load_request function in hw/scsi/scsi-bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds array access. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4542 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-4544 CVE STATUS: Patched CVE SUMMARY: hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier allows local guest users to cause a denial of service or possibly execute arbitrary code via vectors related to (1) RX or (2) TX queue numbers or (3) interrupt indices. NOTE: some of these details are obtained from third party information. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4544 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2013-6399 CVE STATUS: Patched CVE SUMMARY: Array index error in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6399 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-0142 CVE STATUS: Patched CVE SUMMARY: QEMU, possibly before 2.0.0, allows local users to cause a denial of service (divide-by-zero error and crash) via a zero value in the (1) tracks field to the seek_to_sector function in block/parallels.c or (2) extent_size field in the bochs function in block/bochs.c. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0142 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-0143 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the block drivers in QEMU, possibly before 2.0.0, allow local users to cause a denial of service (crash) via a crafted catalog size in (1) the parallels_open function in block/parallels.c or (2) bochs_open function in bochs.c, a large L1 table in the (3) qcow2_snapshot_load_tmp in qcow2-snapshot.c or (4) qcow2_grow_l1_table function in qcow2-cluster.c, (5) a large request in the bdrv_check_byte_request function in block.c and other block drivers, (6) crafted cluster indexes in the get_refcount function in qcow2-refcount.c, or (7) a large number of blocks in the cloop_open function in cloop.c, which trigger buffer overflows, memory corruption, large memory allocations and out-of-bounds read and writes. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0143 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-0144 CVE STATUS: Patched CVE SUMMARY: QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host with the privileges of the QEMU process. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0144 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-0145 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in QEMU before 1.7.2 and 2.x before 2.0.0, allow local users to cause a denial of service (crash) or possibly execute arbitrary code via a large (1) L1 table in the qcow2_snapshot_load_tmp in the QCOW 2 block driver (block/qcow2-snapshot.c) or (2) uncompressed chunk, (3) chunk length, or (4) number of sectors in the DMG block driver (block/dmg.c). CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0145 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-0146 CVE STATUS: Patched CVE SUMMARY: The qcow2_open function in the (block/qcow2.c) in QEMU before 1.7.2 and 2.x before 2.0.0 allows local users to cause a denial of service (NULL pointer dereference) via a crafted image which causes an error, related to the initialization of the snapshot_offset and nb_snapshots fields. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0146 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-0147 CVE STATUS: Patched CVE SUMMARY: Qemu before 1.6.2 block diver for the various disk image formats used by Bochs and for the QCOW version 2 format, are vulnerable to a possible crash caused by signed data types or a logic error while creating QCOW2 snapshots, which leads to incorrectly calling update_refcount() routine. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0147 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-0148 CVE STATUS: Patched CVE SUMMARY: Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite loops and other potential issues when calculating BAT entries, due to missing bounds checks for block_size and logical_sector_size variables. These are used to derive other fields like 'sectors_per_block' etc. A user able to alter the Qemu disk image could ise this flaw to crash the Qemu instance resulting in DoS. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0148 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-0150 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the virtio_net_handle_mac function in hw/net/virtio-net.c in QEMU 2.0 and earlier allows local guest users to execute arbitrary code via a MAC addresses table update request, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0150 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-0182 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted config length in a savevm image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0182 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-0222 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0222 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-0223 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0223 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-2894 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the cmd_smart function in the smart self test in hw/ide/core.c in QEMU before 2.0 allows local users to have unspecified impact via a SMART EXECUTE OFFLINE command that triggers a buffer underflow and memory corruption. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2894 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-3461 CVE STATUS: Patched CVE SUMMARY: hw/usb/bus.c in QEMU 1.6.2 allows remote attackers to execute arbitrary code via crafted savevm data, which triggers a heap-based buffer overflow, related to "USB post load checks." CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3461 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-3471 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in hw/pci/pcie.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU instance crash) via hotplug and hotunplug operations of Virtio block devices. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3471 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-3615 CVE STATUS: Patched CVE SUMMARY: The VGA emulator in QEMU allows local guest users to read host memory by setting the display to a high resolution. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3615 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-3640 CVE STATUS: Patched CVE SUMMARY: The sosendto function in slirp/udp.c in QEMU before 2.1.2 allows local users to cause a denial of service (NULL pointer dereference) by sending a udp packet with a value of 0 in the source port and address, which triggers access of an uninitialized socket. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3640 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-3689 CVE STATUS: Patched CVE SUMMARY: The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3689 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-5263 CVE STATUS: Patched CVE SUMMARY: vmstate_xhci_event in hw/usb/hcd-xhci.c in QEMU 1.6.0 does not terminate the list with the VMSTATE_END_OF_LIST macro, which allows attackers to cause a denial of service (out-of-bounds access, infinite loop, and memory corruption) and possibly gain privileges via unspecified vectors. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5263 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-5388 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the pci_read function in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in QEMU allows local guest users to obtain sensitive information and have other unspecified impact related to a crafted PCI device that triggers memory corruption. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5388 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-7815 CVE STATUS: Patched CVE SUMMARY: The set_pixel_format function in ui/vnc.c in QEMU allows remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7815 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-7840 CVE STATUS: Patched CVE SUMMARY: The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM during migration, allows remote attackers to execute arbitrary code via a crafted (1) offset or (2) length value in savevm data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7840 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-8106 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions. NOTE: this vulnerability exists because an incomplete fix for CVE-2007-1320. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8106 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2014-9718 CVE STATUS: Patched CVE SUMMARY: The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality in QEMU 1.0 through 2.1.3 have multiple interpretations of a function's return value, which allows guest OS users to cause a host OS denial of service (memory consumption or infinite loop, and system crash) via a PRDT with zero complete sectors, related to the bmdma_prepare_buf and ahci_dma_prepare_buf functions. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9718 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-1779 CVE STATUS: Patched CVE SUMMARY: The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1779 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-3209 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3209 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-3214 CVE STATUS: Patched CVE SUMMARY: The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3214 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-3456 CVE STATUS: Patched CVE SUMMARY: The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM. CVSS v2 BASE SCORE: 7.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3456 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-4037 CVE STATUS: Patched CVE SUMMARY: The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporary files with predictable names, which allows local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4037 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-4106 CVE STATUS: Patched CVE SUMMARY: QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4106 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-5154 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5154 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-5158 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in hw/scsi/scsi-bus.c in QEMU, when built with SCSI-device emulation support, allows guest OS users with CAP_SYS_RAWIO permissions to cause a denial of service (instance crash) via an invalid opcode in a SCSI command descriptor block. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5158 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-5225 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the vnc_refresh_server_surface function in the VNC display driver in QEMU before 2.4.0.1 allows guest users to cause a denial of service (heap memory corruption and process crash) or possibly execute arbitrary code on the host via unspecified vectors, related to refreshing the server display surface. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5225 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-5239 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5239 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-5278 CVE STATUS: Patched CVE SUMMARY: The ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows attackers to cause a denial of service (infinite loop and instance crash) or possibly execute arbitrary code via vectors related to receiving packets. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5278 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-5279 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5279 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-5745 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c in QEMU before 2.4.0 allows guest users to cause a denial of service (QEMU process crash) via a crafted virtio control message. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5745 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-6815 CVE STATUS: Patched CVE SUMMARY: The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 3.5 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6815 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-6855 CVE STATUS: Patched CVE SUMMARY: hw/ide/core.c in QEMU does not properly restrict the commands accepted by an ATAPI device, which allows guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6855 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-7295 CVE STATUS: Patched CVE SUMMARY: hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7295 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-7504 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7504 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-7512 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 9.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7512 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-7549 CVE STATUS: Patched CVE SUMMARY: The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by leveraging failure to define the .write method. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7549 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-8345 CVE STATUS: Patched CVE SUMMARY: The eepro100 emulator in QEMU qemu-kvm blank allows local guest users to cause a denial of service (application crash and infinite loop) via vectors involving the command block list. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8345 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-8504 CVE STATUS: Patched CVE SUMMARY: Qemu, when built with VNC display driver support, allows remote attackers to cause a denial of service (arithmetic exception and application crash) via crafted SetPixelFormat messages from a client. CVSS v2 BASE SCORE: 3.5 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8504 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-8556 CVE STATUS: Patched CVE SUMMARY: Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0-r1. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 10.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8556 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-8558 CVE STATUS: Patched CVE SUMMARY: The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular isochronous transfer descriptor (iTD) list. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8558 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-8567 CVE STATUS: Patched CVE SUMMARY: Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause a denial of service (memory consumption). CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8567 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-8568 CVE STATUS: Patched CVE SUMMARY: Memory leak in QEMU, when built with a VMWARE VMXNET3 paravirtual NIC emulator support, allows local guest users to cause a denial of service (host memory consumption) by trying to activate the vmxnet3 device repeatedly. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8568 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-8613 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the megasas_ctrl_get_info function in QEMU, when built with SCSI MegaRAID SAS HBA emulation support, allows local guest users to cause a denial of service (QEMU instance crash) via a crafted SCSI controller CTRL_GET_INFO command. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8613 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-8619 CVE STATUS: Patched CVE SUMMARY: The Human Monitor Interface support in QEMU allows remote attackers to cause a denial of service (out-of-bounds write and application crash). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8619 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-8666 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in QEMU, when built with the Q35-chipset-based PC system emulator. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 7.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8666 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-8701 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit (tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments. A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the QEMU process instance resulting in DoS issue. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8701 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-8743 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with the NE2000 device emulation support is vulnerable to an OOB r/w access issue. It could occur while performing 'ioport' r/w operations. A privileged (CAP_SYS_RAWIO) user/process could use this flaw to leak or corrupt QEMU memory bytes. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8743 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-8744 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It occurs when a guest sends a Layer-2 packet smaller than 22 bytes. A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8744 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-8745 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It could occur while reading Interrupt Mask Registers (IMR). A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8745 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-8817 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built to use 'address_space_translate' to map an address to a MemoryRegionSection is vulnerable to an OOB r/w access issue. It could occur while doing pci_dma_read/write calls. Affects QEMU versions >= 1.6.0 and <= 2.3.1. A privileged user inside guest could use this flaw to crash the guest instance resulting in DoS. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8817 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2015-8818 CVE STATUS: Patched CVE SUMMARY: The cpu_physical_memory_write_rom_internal function in exec.c in QEMU (aka Quick Emulator) does not properly skip MMIO regions, which allows local privileged guest users to cause a denial of service (guest crash) via unspecified vectors. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8818 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-10028 CVE STATUS: Patched CVE SUMMARY: The virgl_cmd_get_capset function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) built with Virtio GPU Device emulator support allows local guest OS users to cause a denial of service (out-of-bounds read and process crash) via a VIRTIO_GPU_CMD_GET_CAPSET command with a maximum capabilities size with a value of 0. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10028 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-10029 CVE STATUS: Patched CVE SUMMARY: The virtio_gpu_set_scanout function in QEMU (aka Quick Emulator) built with Virtio GPU Device emulator support allows local guest OS users to cause a denial of service (out-of-bounds read and process crash) via a scanout id in a VIRTIO_GPU_CMD_SET_SCANOUT command larger than num_scanouts. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10029 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-10155 CVE STATUS: Patched CVE SUMMARY: Memory leak in hw/watchdog/wdt_i6300esb.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10155 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-1568 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1568 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-1714 CVE STATUS: Patched CVE SUMMARY: The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU before 2.4, when built with the Firmware Configuration device emulation support, allow guest OS users with the CAP_SYS_RAWIO privilege to cause a denial of service (out-of-bounds read or write access and process crash) or possibly execute arbitrary code via an invalid current entry value in a firmware configuration. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1714 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-1922 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with the TPR optimization for 32-bit Windows guests support is vulnerable to a null pointer dereference flaw. It occurs while doing I/O port write operations via hmp interface. In that, 'current_cpu' remains null, which leads to the null pointer dereference. A user or process could use this flaw to crash the QEMU instance, resulting in DoS issue. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1922 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-1981 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with the e1000 NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing data via transmit or receive descriptors, provided the initial receive/transmit descriptor head (TDH/RDH) is set outside the allocated descriptor buffer. A privileged user inside guest could use this flaw to crash the QEMU instance resulting in DoS. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1981 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-2197 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with an IDE AHCI emulation support is vulnerable to a null pointer dereference flaw. It occurs while unmapping the Frame Information Structure (FIS) and Command List Block (CLB) entries. A privileged user inside guest could use this flaw to crash the QEMU process instance resulting in DoS. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2197 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-2198 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with the USB EHCI emulation support is vulnerable to a null pointer dereference flaw. It could occur when an application attempts to write to EHCI capabilities registers. A privileged user inside quest could use this flaw to crash the QEMU process instance resulting in DoS. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2198 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-2391 CVE STATUS: Patched CVE SUMMARY: The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2391 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-2392 CVE STATUS: Patched CVE SUMMARY: The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 does not properly validate USB configuration descriptor objects, which allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving a remote NDIS control message packet. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2392 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-2538 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that is mishandled in the (1) rndis_query_response, (2) rndis_set_response, or (3) usb_net_handle_dataout function. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2538 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-2841 CVE STATUS: Patched CVE SUMMARY: The ne2000_receive function in the NE2000 NIC emulation support (hw/net/ne2000.c) in QEMU before 2.5.1 allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via crafted values for the PSTART and PSTOP registers, involving ring buffer control. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2841 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-2857 CVE STATUS: Patched CVE SUMMARY: The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 8.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2857 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-2858 CVE STATUS: Patched CVE SUMMARY: QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2858 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-3710 CVE STATUS: Patched CVE SUMMARY: The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3710 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-3712 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3712 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-4001 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4001 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-4002 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4002 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-4020 CVE STATUS: Patched CVE SUMMARY: The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR). CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4020 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-4037 CVE STATUS: Patched CVE SUMMARY: The ehci_advance_state function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular split isochronous transfer descriptor (siTD) list, a related issue to CVE-2015-8558. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4037 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-4439 CVE STATUS: Patched CVE SUMMARY: The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the QEMU host via unspecified vectors. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4439 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-4441 CVE STATUS: Patched CVE SUMMARY: The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check DMA length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via unspecified vectors, involving an SCSI command. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4441 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-4453 CVE STATUS: Patched CVE SUMMARY: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4453 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-4454 CVE STATUS: Patched CVE SUMMARY: The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4454 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-4952 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator), when built with VMWARE PVSCSI paravirtual SCSI bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds array access) via vectors related to the (1) PVSCSI_CMD_SETUP_RINGS or (2) PVSCSI_CMD_SETUP_MSG_RING SCSI command. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4952 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-4964 CVE STATUS: Patched CVE SUMMARY: The mptsas_fetch_requests function in hw/scsi/mptsas.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop, and CPU consumption or QEMU process crash) via vectors involving s->state. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4964 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-5105 CVE STATUS: Patched CVE SUMMARY: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, uses an uninitialized variable, which allows local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5105 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-5106 CVE STATUS: Patched CVE SUMMARY: The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5106 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-5107 CVE STATUS: Patched CVE SUMMARY: The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5107 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-5126 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5126 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-5238 CVE STATUS: Patched CVE SUMMARY: The get_cmd function in hw/scsi/esp.c in QEMU might allow local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5238 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-5337 CVE STATUS: Patched CVE SUMMARY: The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allows local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5337 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-5338 CVE STATUS: Patched CVE SUMMARY: The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allow local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5338 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-5403 CVE STATUS: Patched CVE SUMMARY: The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5403 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-6351 CVE STATUS: Patched CVE SUMMARY: The esp_do_dma function in hw/scsi/esp.c in QEMU (aka Quick Emulator), when built with ESP/NCR53C9x controller emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the QEMU host via vectors involving DMA read into ESP command buffer. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6351 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-6490 CVE STATUS: Patched CVE SUMMARY: The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the descriptor buffer. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6490 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-6833 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the vmxnet3_io_bar0_write function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU instance crash) by leveraging failure to check if the device is active. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6833 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-6834 CVE STATUS: Patched CVE SUMMARY: The net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the current fragment length. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6834 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-6835 CVE STATUS: Patched CVE SUMMARY: The vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (buffer over-read) by leveraging failure to check IP header length. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6835 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-6836 CVE STATUS: Patched CVE SUMMARY: The vmxnet3_complete_packet function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host memory information by leveraging failure to initialize the txcq_descr object. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6836 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-6888 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the net_tx_pkt_init function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU process crash) via the maximum fragmentation count, which triggers an unchecked multiplication and NULL pointer dereference. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6888 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-7116 CVE STATUS: Patched CVE SUMMARY: Directory traversal vulnerability in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to access host files outside the export path via a .. (dot dot) in an unspecified string. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7116 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-7155 CVE STATUS: Patched CVE SUMMARY: hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds access or infinite loop, and QEMU process crash) via a crafted page count for descriptor rings. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7155 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-7156 CVE STATUS: Patched CVE SUMMARY: The pvscsi_convert_sglist function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging an incorrect cast. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7156 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-7157 CVE STATUS: Patched CVE SUMMARY: The (1) mptsas_config_manufacturing_1 and (2) mptsas_config_ioc_0 functions in hw/scsi/mptconfig.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via vectors involving MPTSAS_CONFIG_PACK. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7157 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-7161 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7161 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-7170 CVE STATUS: Patched CVE SUMMARY: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to cursor.mask[] and cursor.image[] array sizes when processing a DEFINE_CURSOR svga command. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7170 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-7421 CVE STATUS: Patched CVE SUMMARY: The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit process IO loop to the ring size. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7421 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-7422 CVE STATUS: Patched CVE SUMMARY: The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via a large I/O descriptor buffer length value. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7422 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-7423 CVE STATUS: Patched CVE SUMMARY: The mptsas_process_scsi_io_request function in QEMU (aka Quick Emulator), when built with LSI SAS1068 Host Bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors involving MPTSASRequest objects. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7423 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-7466 CVE STATUS: Patched CVE SUMMARY: Memory leak in the usb_xhci_exit function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator), when the xhci uses msix, allows local guest OS administrators to cause a denial of service (memory consumption and possibly QEMU process crash) by repeatedly unplugging a USB device. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7466 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-7907 CVE STATUS: Patched CVE SUMMARY: The imx_fec_do_tx function in hw/net/imx_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7907 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-7908 CVE STATUS: Patched CVE SUMMARY: The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7908 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-7909 CVE STATUS: Patched CVE SUMMARY: The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7909 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-7994 CVE STATUS: Patched CVE SUMMARY: Memory leak in the virtio_gpu_resource_create_2d function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_CREATE_2D commands. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7994 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-7995 CVE STATUS: Patched CVE SUMMARY: Memory leak in the ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of crafted buffer page select (PG) indexes. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7995 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-8576 CVE STATUS: Patched CVE SUMMARY: The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8576 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-8577 CVE STATUS: Patched CVE SUMMARY: Memory leak in the v9fs_read function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors related to an I/O read operation. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8577 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-8578 CVE STATUS: Patched CVE SUMMARY: The v9fs_iov_vunmarshal function in fsdev/9p-iov-marshal.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) by sending an empty string parameter to a 9P operation. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8578 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-8667 CVE STATUS: Patched CVE SUMMARY: The rc4030_write function in hw/dma/rc4030.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8667 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-8668 CVE STATUS: Patched CVE SUMMARY: The rocker_io_writel function in hw/net/rocker/rocker.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging failure to limit DMA buffer size. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8668 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-8669 CVE STATUS: Patched CVE SUMMARY: The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8669 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-8909 CVE STATUS: Patched CVE SUMMARY: The intel_hda_xfer function in hw/audio/intel-hda.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8909 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-8910 CVE STATUS: Patched CVE SUMMARY: The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8910 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9101 CVE STATUS: Patched CVE SUMMARY: Memory leak in hw/net/eepro100.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by repeatedly unplugging an i8255x (PRO100) NIC device. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9101 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9102 CVE STATUS: Patched CVE SUMMARY: Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9102 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9103 CVE STATUS: Patched CVE SUMMARY: The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values before writing to them. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9103 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9104 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the (1) v9fs_xattr_read and (2) v9fs_xattr_write functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via a crafted offset, which triggers an out-of-bounds access. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9104 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9105 CVE STATUS: Patched CVE SUMMARY: Memory leak in the v9fs_link function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors involving a reference to the source fid object. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9105 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9106 CVE STATUS: Patched CVE SUMMARY: Memory leak in the v9fs_write function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) by leveraging failure to free an IO vector. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9106 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9381 CVE STATUS: Patched CVE SUMMARY: Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a "double fetch" vulnerability. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9381 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9602 CVE STATUS: Patched CVE SUMMARY: Qemu before version 2.9 is vulnerable to an improper link following when built with the VirtFS. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. CVSS v2 BASE SCORE: 9.0 CVSS v3 BASE SCORE: 7.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9602 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9603 CVE STATUS: Patched CVE SUMMARY: A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support before 2.9; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged user/process inside a guest could use this flaw to crash the QEMU process or, potentially, execute arbitrary code on the host with privileges of the QEMU process. CVSS v2 BASE SCORE: 9.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9603 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9776 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with the ColdFire Fast Ethernet Controller emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets in 'mcf_fec_receive'. A privileged user/process inside guest could use this issue to crash the QEMU process on the host leading to DoS. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9776 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9845 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest user/process could use this flaw to leak contents of the host memory bytes. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9845 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9846 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while updating the cursor data in update_cursor_data_virgl. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9846 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9907 CVE STATUS: Patched CVE SUMMARY: Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9907 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9908 CVE STATUS: Patched CVE SUMMARY: Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest user/process could use this flaw to leak contents of the host memory bytes. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9908 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9911 CVE STATUS: Patched CVE SUMMARY: Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9911 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9912 CVE STATUS: Patched CVE SUMMARY: Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while destroying gpu resource object in 'virtio_gpu_resource_destroy'. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9912 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9913 CVE STATUS: Patched CVE SUMMARY: Memory leak in the v9fs_device_unrealize_common function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) via vectors involving the order of resource cleanup. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9913 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9914 CVE STATUS: Patched CVE SUMMARY: Memory leak in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in FileOperations. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9914 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9915 CVE STATUS: Patched CVE SUMMARY: Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the handle backend. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9915 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9916 CVE STATUS: Patched CVE SUMMARY: Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the proxy backend. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9916 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9921 CVE STATUS: Patched CVE SUMMARY: Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to a divide by zero issue. It could occur while copying VGA data when cirrus graphics mode was set to be VGA. A privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting in DoS. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9921 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9922 CVE STATUS: Patched CVE SUMMARY: The cirrus_do_copy function in hw/display/cirrus_vga.c in QEMU (aka Quick Emulator), when cirrus graphics mode is VGA, allows local guest OS privileged users to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving blit pitch values. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9922 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2016-9923 CVE STATUS: Patched CVE SUMMARY: Quick Emulator (Qemu) built with the 'chardev' backend support is vulnerable to a use after free issue. It could occur while hotplug and unplugging the device in the guest. A guest user/process could use this flaw to crash a Qemu process on the host resulting in DoS. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9923 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-10664 CVE STATUS: Patched CVE SUMMARY: qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10664 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-10806 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in hw/usb/redirect.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10806 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-11334 CVE STATUS: Patched CVE SUMMARY: The address_space_write_continue function in exec.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11334 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-11434 CVE STATUS: Patched CVE SUMMARY: The dhcp_decode function in slirp/bootp.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) via a crafted DHCP options string. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11434 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-12809 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator), when built with the IDE disk and CD/DVD-ROM Emulator support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12809 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-13672 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator), when built with the VGA display emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13672 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-13673 CVE STATUS: Patched CVE SUMMARY: The vga display update in mis-calculated the region for the dirty bitmap snapshot in case split screen mode is used causing a denial of service (assertion failure) in the cpu_physical_memory_snapshot_get_dirty function. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13673 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-13711 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the sofree function in slirp/socket.c in QEMU (aka Quick Emulator) allows attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear ifq_so from pending packets. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13711 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-14167 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the load_multiboot function in hw/i386/multiboot.c in QEMU (aka Quick Emulator) allows local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14167 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-15038 CVE STATUS: Patched CVE SUMMARY: Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15038 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-15118 CVE STATUS: Patched CVE SUMMARY: A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 8.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15118 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-15119 CVE STATUS: Patched CVE SUMMARY: The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15119 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-15124 CVE STATUS: Patched CVE SUMMARY: VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15124 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-15268 CVE STATUS: Patched CVE SUMMARY: Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15268 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-15289 CVE STATUS: Patched CVE SUMMARY: The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15289 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-16845 CVE STATUS: Patched CVE SUMMARY: hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 10.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16845 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-17381 CVE STATUS: Patched CVE SUMMARY: The Virtio Vring implementation in QEMU allows local OS guest users to cause a denial of service (divide-by-zero error and QEMU process crash) by unsetting vring alignment while updating Virtio rings. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17381 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-18030 CVE STATUS: Patched CVE SUMMARY: The cirrus_invalidate_region function in hw/display/cirrus_vga.c in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds array access and QEMU process crash) via vectors related to negative pitch. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18030 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-18043 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) allows a user to cause a denial of service (Qemu process crash). CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18043 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-2615 CVE STATUS: Patched CVE SUMMARY: Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. CVSS v2 BASE SCORE: 9.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2615 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-2620 CVE STATUS: Patched CVE SUMMARY: Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. CVSS v2 BASE SCORE: 9.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2620 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-2630 CVE STATUS: Patched CVE SUMMARY: A stack buffer overflow flaw was found in the Quick Emulator (QEMU) before 2.9 built with the Network Block Device (NBD) client support. The flaw could occur while processing server's response to a 'NBD_OPT_LIST' request. A malicious NBD server could use this issue to crash a remote NBD client resulting in DoS or potentially execute arbitrary code on client host with privileges of the QEMU process. CVSS v2 BASE SCORE: 6.5 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2630 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-2633 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds memory access issue was found in Quick Emulator (QEMU) before 1.7.2 in the VNC display driver. This flaw could occur while refreshing the VNC display surface area in the 'vnc_refresh_server_surface'. A user inside a guest could use this flaw to crash the QEMU process. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 5.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2633 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-5525 CVE STATUS: Patched CVE SUMMARY: Memory leak in hw/audio/ac97.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5525 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-5526 CVE STATUS: Patched CVE SUMMARY: Memory leak in hw/audio/es1370.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5526 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-5552 CVE STATUS: Patched CVE SUMMARY: Memory leak in the virgl_resource_attach_backing function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING commands. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5552 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-5578 CVE STATUS: Patched CVE SUMMARY: Memory leak in the virtio_gpu_resource_attach_backing function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING commands. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5578 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-5579 CVE STATUS: Patched CVE SUMMARY: Memory leak in the serial_exit_core function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5579 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-5667 CVE STATUS: Patched CVE SUMMARY: The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds heap access and crash) or execute arbitrary code on the QEMU host via vectors involving the data transfer length. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5667 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-5856 CVE STATUS: Patched CVE SUMMARY: Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) via MegaRAID Firmware Interface (MFI) commands with the sglist size set to a value over 2 Gb. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5856 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-5857 CVE STATUS: Patched CVE SUMMARY: Memory leak in the virgl_cmd_resource_unref function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_UNREF commands sent without detaching the backing storage beforehand. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5857 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-5898 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the emulated_apdu_from_guest function in usb/dev-smartcard-reader.c in Quick Emulator (Qemu), when built with the CCID Card device emulator support, allows local users to cause a denial of service (application crash) via a large Application Protocol Data Units (APDU) unit. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5898 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-5931 CVE STATUS: Patched CVE SUMMARY: Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code on the host via a crafted virtio-crypto request, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5931 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-5973 CVE STATUS: Patched CVE SUMMARY: The xhci_kick_epctx function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors related to control transfer descriptor sequence. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5973 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-5987 CVE STATUS: Patched CVE SUMMARY: The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5987 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-6058 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU (aka Quick Emulator), when the VLANSTRIP feature is enabled on the vmxnet3 device, allows remote attackers to cause a denial of service (out-of-bounds access and QEMU process crash) via vectors related to VLAN stripping. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6058 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-6505 CVE STATUS: Patched CVE SUMMARY: The ohci_service_ed_list function in hw/usb/hcd-ohci.c in QEMU (aka Quick Emulator) before 2.9.0 allows local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors, a different vulnerability than CVE-2017-9330. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6505 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-7377 CVE STATUS: Patched CVE SUMMARY: The (1) v9fs_create and (2) v9fs_lcreate functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS privileged users to cause a denial of service (file descriptor or memory consumption) via vectors related to an already in-use fid. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7377 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-7471 CVE STATUS: Patched CVE SUMMARY: Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System (9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. CVSS v2 BASE SCORE: 7.7 CVSS v3 BASE SCORE: 9.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7471 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-7493 CVE STATUS: Patched CVE SUMMARY: Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could use this flaw to escalate their privileges inside guest. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7493 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-7539 CVE STATUS: Patched CVE SUMMARY: An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server's initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A remote user or process could use this flaw to crash the qemu-nbd server resulting in denial of service. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7539 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-7718 CVE STATUS: Patched CVE SUMMARY: hw/display/cirrus_vga_rop.h in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7718 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-7980 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick Emulator (Qemu) 2.8 and earlier allows local guest OS users to execute arbitrary code or cause a denial of service (crash) via vectors related to a VNC client updating its display after a VGA operation. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7980 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-8086 CVE STATUS: Patched CVE SUMMARY: Memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8086 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-8112 CVE STATUS: Patched CVE SUMMARY: hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8112 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-8284 CVE STATUS: Patched CVE SUMMARY: The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a modified basic block that injects code into a setuid program, as demonstrated by procmail. NOTE: the vendor has stated "this bug does not violate any security guarantees QEMU makes. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8284 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-8309 CVE STATUS: Patched CVE SUMMARY: Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8309 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-8379 CVE STATUS: Patched CVE SUMMARY: Memory leak in the keyboard input event handlers support in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large keyboard events. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8379 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-8380 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the "megasas_mmio_write" function in Qemu 2.9.0 allows remote attackers to have unspecified impact via unknown vectors. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8380 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-9060 CVE STATUS: Patched CVE SUMMARY: Memory leak in the virtio_gpu_set_scanout function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (memory consumption) via a large number of "VIRTIO_GPU_CMD_SET_SCANOUT:" commands. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9060 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-9310 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator), when built with the e1000e NIC emulation support, allows local guest OS privileged users to cause a denial of service (infinite loop) via vectors related to setting the initial receive / transmit descriptor head (TDH/RDH) outside the allocated descriptor buffer. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9310 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-9330 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) before 2.9.0, when built with the USB OHCI Emulation support, allows local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value, a different vulnerability than CVE-2017-6505. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9330 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-9373 CVE STATUS: Patched CVE SUMMARY: Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the AHCI device. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9373 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-9374 CVE STATUS: Patched CVE SUMMARY: Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the device. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9374 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-9375 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator), when built with USB xHCI controller emulator support, allows local guest OS privileged users to cause a denial of service (infinite recursive call) via vectors involving control transfer descriptors sequencing. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9375 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-9503 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving megasas command processing. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9503 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2017-9524 CVE STATUS: Patched CVE SUMMARY: The qemu-nbd server in QEMU (aka Quick Emulator), when built with the Network Block Device (NBD) Server support, allows remote attackers to cause a denial of service (segmentation fault and server crash) by leveraging failure to ensure that all initialization occurs before talking to a client in the nbd_negotiate function. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9524 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-10839 CVE STATUS: Patched CVE SUMMARY: Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10839 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-11806 CVE STATUS: Patched CVE SUMMARY: m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11806 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-12617 CVE STATUS: Patched CVE SUMMARY: qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12617 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-15746 CVE STATUS: Patched CVE SUMMARY: qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15746 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-16847 CVE STATUS: Patched CVE SUMMARY: An OOB heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU. It could occur in nvme_cmb_ops routines in nvme device. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with privileges of the QEMU process. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16847 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-16867 CVE STATUS: Patched CVE SUMMARY: A flaw was found in qemu Media Transfer Protocol (MTP) before version 3.1.0. A path traversal in the in usb_mtp_write_data function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, this allows to read/write arbitrary files which may lead do DoS scenario OR possibly lead to code execution on the host. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16867 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-16872 CVE STATUS: Patched CVE SUMMARY: A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS. CVSS v2 BASE SCORE: 3.5 CVSS v3 BASE SCORE: 5.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16872 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-17958 CVE STATUS: Patched CVE SUMMARY: Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17958 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-17962 CVE STATUS: Patched CVE SUMMARY: Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17962 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-17963 CVE STATUS: Patched CVE SUMMARY: qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17963 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-18438 CVE STATUS: Ignored CVE DETAIL: disputed CVE DESCRIPTION: The issues identified by this CVE were determined to not constitute a vulnerability. CVE SUMMARY: Qemu has integer overflows because IOReadHandler and its associated functions use a signed integer data type for a size value. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18438 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-18849 CVE STATUS: Patched CVE SUMMARY: In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18849 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-18954 CVE STATUS: Patched CVE SUMMARY: The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1 allows out-of-bounds write or read access to PowerNV memory. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18954 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-19364 CVE STATUS: Patched CVE SUMMARY: hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is being accessed by a second thread, leading to (for example) a use-after-free outcome. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19364 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-19489 CVE STATUS: Patched CVE SUMMARY: v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS users to cause a denial of service (crash) because of a race condition during file renaming. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19489 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-19665 CVE STATUS: Patched CVE SUMMARY: The Bluetooth subsystem in QEMU mishandles negative values for length variables, leading to memory corruption. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 5.7 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19665 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-20123 CVE STATUS: Patched CVE SUMMARY: pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak after an initialisation error. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20123 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-20124 CVE STATUS: Patched CVE SUMMARY: hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20124 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-20125 CVE STATUS: Patched CVE SUMMARY: hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20125 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-20126 CVE STATUS: Patched CVE SUMMARY: hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks because errors are mishandled. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20126 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-20191 CVE STATUS: Patched CVE SUMMARY: hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20191 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-20216 CVE STATUS: Patched CVE SUMMARY: QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and -1 is mishandled). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20216 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-20815 CVE STATUS: Patched CVE SUMMARY: In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer overflow risk. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20815 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-5683 CVE STATUS: Patched CVE SUMMARY: The vga_draw_text function in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5683 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-7550 CVE STATUS: Patched CVE SUMMARY: The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7550 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2018-7858 CVE STATUS: Patched CVE SUMMARY: Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA Emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds access and QEMU process crash) by leveraging incorrect region calculation when updating VGA display. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7858 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2019-12067 CVE STATUS: Ignored CVE DETAIL: upstream-wontfix CVE DESCRIPTION: There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can still be reproduced or where exactly any bug is. We'll pick up any fix when upstream accepts one. CVE SUMMARY: The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12067 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2019-12068 CVE STATUS: Patched CVE SUMMARY: In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12068 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2019-12155 CVE STATUS: Patched CVE SUMMARY: interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a NULL pointer dereference. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12155 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2019-12247 CVE STATUS: Patched CVE SUMMARY: QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files do not check the length of the argument list or the number of environment variables. NOTE: This has been disputed as not exploitable CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12247 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2019-12928 CVE STATUS: Patched CVE SUMMARY: The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12928 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2019-12929 CVE STATUS: Patched CVE SUMMARY: The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12929 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2019-13164 CVE STATUS: Patched CVE SUMMARY: qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13164 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2019-15034 CVE STATUS: Patched CVE SUMMARY: hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading to a buffer overflow involving the PCIe extended config space. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 5.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15034 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2019-15890 CVE STATUS: Patched CVE SUMMARY: libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15890 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2019-20175 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a multiple of 512 (the size of a sector). NOTE: a member of the QEMU security team disputes the significance of this issue because a "privileged guest user has many ways to cause similar DoS effect, without triggering this assert. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20175 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2019-20382 CVE STATUS: Patched CVE SUMMARY: QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 3.5 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20382 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2019-20808 CVE STATUS: Patched CVE SUMMARY: In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA implementation. It occurs in the ati_cursor_define() routine while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20808 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2019-3812 CVE STATUS: Patched CVE SUMMARY: QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3812 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2019-5008 CVE STATUS: Patched CVE SUMMARY: hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dereference, which allows the attacker to cause a denial of service via a device driver. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5008 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2019-6501 CVE STATUS: Patched CVE SUMMARY: In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allows out-of-bounds write and read operations. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6501 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2019-6778 CVE STATUS: Patched CVE SUMMARY: In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6778 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2019-8934 CVE STATUS: Patched CVE SUMMARY: hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8934 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2019-9824 CVE STATUS: Patched CVE SUMMARY: tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9824 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-10702 CVE STATUS: Patched CVE SUMMARY: A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all programs running on QEMU. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10702 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-10717 CVE STATUS: Patched CVE SUMMARY: A potential DoS flaw was found in the virtio-fs shared file system daemon (virtiofsd) implementation of the QEMU version >= v5.0. Virtio-fs is meant to share a host file system directory with a guest via virtio-fs device. If the guest opens the maximum number of file descriptors under the shared directory, a denial of service may occur. This flaw allows a guest user/process to cause this denial of service on the host. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10717 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-10761 CVE STATUS: Patched CVE SUMMARY: An assertion failure issue was found in the Network Block Device(NBD) Server in all QEMU versions before QEMU 5.0.1. This flaw occurs when an nbd-client sends a spec-compliant request that is near the boundary of maximum permitted request length. A remote nbd-client could use this flaw to crash the qemu-nbd server resulting in a denial of service. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 5.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10761 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-11102 CVE STATUS: Patched CVE SUMMARY: hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11102 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-11869 CVE STATUS: Patched CVE SUMMARY: An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati-2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11869 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-11947 CVE STATUS: Patched CVE SUMMARY: iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose unrelated information from process memory to an attacker. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11947 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-12829 CVE STATUS: Patched CVE SUMMARY: In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12829 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-13253 CVE STATUS: Patched CVE SUMMARY: sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13253 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-13361 CVE STATUS: Patched CVE SUMMARY: In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 3.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13361 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-13362 CVE STATUS: Patched CVE SUMMARY: In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13362 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-13659 CVE STATUS: Patched CVE SUMMARY: address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 2.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13659 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-13754 CVE STATUS: Patched CVE SUMMARY: hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13754 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-13765 CVE STATUS: Patched CVE SUMMARY: rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13765 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-13791 CVE STATUS: Patched CVE SUMMARY: hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13791 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-13800 CVE STATUS: Patched CVE SUMMARY: ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13800 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-14364 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 5.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14364 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-14394 CVE STATUS: Patched CVE SUMMARY: An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14394 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-14415 CVE STATUS: Patched CVE SUMMARY: oss_write in audio/ossaudio.c in QEMU before 5.0.0 mishandles a buffer position. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14415 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-15469 CVE STATUS: Patched CVE SUMMARY: In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 2.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15469 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-15859 CVE STATUS: Patched CVE SUMMARY: QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15859 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-15863 CVE STATUS: Patched CVE SUMMARY: hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential privileged code execution. This was fixed in commit 5519724a13664b43e225ca05351c60b4468e4555. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15863 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-16092 CVE STATUS: Patched CVE SUMMARY: In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in hw/net/net_tx_pkt.c. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16092 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-1711 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host. CVSS v2 BASE SCORE: 6.0 CVSS v3 BASE SCORE: 7.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1711 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-17380 CVE STATUS: Patched CVE SUMMARY: A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17380 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-24165 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in TCG Accelerator in QEMU 4.2.0, allows local attackers to execute arbitrary code, escalate privileges, and cause a denial of service (DoS). Note: This is disputed as a bug and not a valid security issue by multiple third parties. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24165 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-24352 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in QEMU through 5.1.0. An out-of-bounds memory access was found in the ATI VGA device implementation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati_2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24352 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-25084 CVE STATUS: Patched CVE SUMMARY: QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25084 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-25085 CVE STATUS: Patched CVE SUMMARY: QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 5.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25085 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-25624 CVE STATUS: Patched CVE SUMMARY: hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 5.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25624 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-25625 CVE STATUS: Patched CVE SUMMARY: hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25625 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-25723 CVE STATUS: Patched CVE SUMMARY: A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25723 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-25741 CVE STATUS: Patched CVE SUMMARY: fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25741 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-25742 CVE STATUS: Patched CVE SUMMARY: pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25742 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-25743 CVE STATUS: Patched CVE SUMMARY: hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25743 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-27616 CVE STATUS: Patched CVE SUMMARY: ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a calculation. A guest can crash the QEMU process. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27616 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-27617 CVE STATUS: Patched CVE SUMMARY: eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27617 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-27661 CVE STATUS: Patched CVE SUMMARY: A divide-by-zero issue was found in dwc2_handle_packet in hw/usb/hcd-dwc2.c in the hcd-dwc2 USB host controller emulation of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27661 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-27821 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the memory management API of QEMU during the initialization of a memory region cache. This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27821 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-28916 CVE STATUS: Patched CVE SUMMARY: hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28916 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-29443 CVE STATUS: Patched CVE SUMMARY: ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 3.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29443 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-35503 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35503 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-35504 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35504 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-35505 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35505 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-35506 CVE STATUS: Patched CVE SUMMARY: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35506 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-35517 CVE STATUS: Patched CVE SUMMARY: A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35517 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-7039 CVE STATUS: Patched CVE SUMMARY: tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-7039 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2020-7211 CVE STATUS: Patched CVE SUMMARY: tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\ directory traversal on Windows. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-7211 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-20181 CVE STATUS: Patched CVE SUMMARY: A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20181 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-20196 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20196 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-20203 CVE STATUS: Patched CVE SUMMARY: An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20203 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-20221 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20221 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-20255 CVE STATUS: Ignored CVE DETAIL: upstream-wontfix CVE DESCRIPTION: There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html qemu maintainers say the patch is incorrect and should not be applied The issue is of low impact, at worst sitting in an infinite loop rather than exploitable. CVE SUMMARY: A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20255 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-20257 CVE STATUS: Patched CVE SUMMARY: An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20257 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-20263 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20263 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-20295 CVE STATUS: Patched CVE SUMMARY: It was discovered that the update for the virt:rhel module in the RHSA-2020:4676 (https://access.redhat.com/errata/RHSA-2020:4676) erratum released as part of Red Hat Enterprise Linux 8.3 failed to include the fix for the qemu-kvm component issue CVE-2020-10756, which was previously corrected in virt:rhel/qemu-kvm via erratum RHSA-2020:4059 (https://access.redhat.com/errata/RHSA-2020:4059). CVE-2021-20295 was assigned to that Red Hat specific security regression. For more details about the original security issue CVE-2020-10756, refer to bug 1835986 or the CVE page: https://access.redhat.com/security/cve/CVE-2020-10756. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20295 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3392 CVE STATUS: Patched CVE SUMMARY: A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3392 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3409 CVE STATUS: Patched CVE SUMMARY: The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 5.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3409 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3416 CVE STATUS: Patched CVE SUMMARY: A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3416 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3507 CVE STATUS: Patched CVE SUMMARY: A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3507 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3527 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3527 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3544 CVE STATUS: Patched CVE SUMMARY: Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3544 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3545 CVE STATUS: Patched CVE SUMMARY: An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3545 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3546 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3546 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3582 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_CMD_CREATE_MR" command due to improper memory remapping (mremap). This flaw allows a malicious guest to crash the QEMU process on the host. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3582 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3607 CVE STATUS: Patched CVE SUMMARY: An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest due to improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3607 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3608 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest and may result in a crash of QEMU or cause undefined behavior due to the access of an uninitialized pointer. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3608 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3611 CVE STATUS: Patched CVE SUMMARY: A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. This flaw affects QEMU versions prior to 7.0.0. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3611 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3638 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid values for the destination display parameters. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3638 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3682 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. CVSS v2 BASE SCORE: 6.0 CVSS v3 BASE SCORE: 8.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3682 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3713 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3713 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3735 CVE STATUS: Patched CVE SUMMARY: A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3735 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3748 CVE STATUS: Patched CVE SUMMARY: A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3748 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3750 CVE STATUS: Patched CVE SUMMARY: A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3750 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3929 CVE STATUS: Patched CVE SUMMARY: A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3929 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3930 CVE STATUS: Patched CVE SUMMARY: An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3930 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-3947 CVE STATUS: Patched CVE SUMMARY: A stack-buffer-overflow was found in QEMU in the NVME component. The flaw lies in nvme_changed_nslist() where a malicious guest controlling certain input can read out of bounds memory. A malicious user could use this flaw leading to disclosure of sensitive information. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3947 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-4145 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference issue was found in the block mirror layer of QEMU in versions prior to 6.2.0. The `self` pointer is dereferenced in mirror_wait_on_conflicts() without ensuring that it's not NULL. A malicious unprivileged user within the guest could use this flaw to crash the QEMU process on the host when writing data reaches the threshold of mirroring node. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4145 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-4158 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference issue was found in the ACPI code of QEMU. A malicious, privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4158 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-4206 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4206 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2021-4207 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4207 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2022-0216 CVE STATUS: Patched CVE SUMMARY: A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0216 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2022-0358 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0358 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2022-1050 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1050 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2022-26353 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26353 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2022-26354 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26354 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2022-2962 CVE STATUS: Patched CVE SUMMARY: A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2962 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2022-3165 CVE STATUS: Patched CVE SUMMARY: An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3165 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2022-35414 CVE STATUS: Patched CVE SUMMARY: softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash. NOTE: a third party states that the Non-virtualization Use Case in the qemu.org reference applies here, i.e., "Bugs affecting the non-virtualization use case are not considered security bugs at this time. CVSS v2 BASE SCORE: 6.1 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-35414 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2022-36648 CVE STATUS: Patched CVE SUMMARY: The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS. Note: This has been disputed by multiple third parties as not a valid vulnerability due to the rocker device not falling within the virtualization use case. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 10.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-36648 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2022-3872 CVE STATUS: Patched CVE SUMMARY: An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3872 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2022-4144 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4144 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2022-4172 CVE STATUS: Patched CVE SUMMARY: An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4172 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2023-0330 CVE STATUS: Patched CVE SUMMARY: A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0330 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2023-0664 CVE STATUS: Ignored CVE DETAIL: not-applicable-platform CVE DESCRIPTION: Issue only applies on Windows CVE SUMMARY: A flaw was found in the QEMU Guest Agent service for Windows. A local unprivileged user may be able to manipulate the QEMU Guest Agent's Windows installer via repair custom actions to elevate their privileges on the system. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0664 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2023-1386 CVE STATUS: Ignored CVE DETAIL: disputed CVE DESCRIPTION: not an issue as per https://bugzilla.redhat.com/show_bug.cgi?id=2223985 CVE SUMMARY: A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1386 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2023-1544 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1544 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2023-2680 CVE STATUS: Ignored CVE DETAIL: not-applicable-platform CVE DESCRIPTION: RHEL specific issue. CVE SUMMARY: This CVE exists because of an incomplete fix for CVE-2021-3750. More specifically, the qemu-kvm package as released for Red Hat Enterprise Linux 9.1 via RHSA-2022:7967 included a version of qemu-kvm that was actually missing the fix for CVE-2021-3750. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2680 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2023-2861 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host side, potentially allowing a malicious client to escape from the exported 9p tree by creating and opening a device file in the shared folder. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2861 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2023-3019 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: Applies only against versions before 8.2.0 CVE SUMMARY: A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3019 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2023-3180 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3180 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2023-3255 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3255 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2023-3301 CVE STATUS: Patched CVE SUMMARY: A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this time window to trigger an assertion and cause a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3301 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2023-3354 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3354 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2023-40360 CVE STATUS: Patched CVE SUMMARY: QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive in hw/nvme/ctrl.c because there is no check for whether an endurance group is configured before checking whether Flexible Data Placement is enabled. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-40360 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2023-4135 CVE STATUS: Patched CVE SUMMARY: A heap out-of-bounds memory read flaw was found in the virtual nvme device in QEMU. The QEMU process does not validate an offset provided by the guest before computing a host heap pointer, which is used for copying data back to the guest. Arbitrary heap memory relative to an allocated buffer can be disclosed. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4135 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2023-42467 CVE STATUS: Patched CVE SUMMARY: QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-42467 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2023-5088 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: Applies only against version 8.2.0 and earlier CVE SUMMARY: A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5088 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2023-6683 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: Applies only against version 8.2.1 and earlier CVE SUMMARY: A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6683 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2023-6693 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: Applies only against version 8.2.0 and earlier CVE SUMMARY: A stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious user to overwrite local variables allocated on the stack. Specifically, the `out_sg` variable could be used to read a part of process memory and send it to the wire, causing an information leak. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6693 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2024-24474 CVE STATUS: Patched CVE SUMMARY: QEMU before 8.2.0 has an integer underflow, and resultant buffer overflow, via a TI command when an expected non-DMA transfer length is less than the length of the available FIFO data. This occurs in esp_do_nodma in hw/scsi/esp.c because of an underflow of async_len. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-24474 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2024-26327 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in hw/pci/pcie_sriov.c mishandles the situation where a guest writes NumVFs greater than TotalVFs, leading to a buffer overflow in VF implementations. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26327 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2024-26328 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in hw/pci/pcie_sriov.c does not set NumVFs to PCI_SRIOV_TOTAL_VF, and thus interaction with hw/nvme/ctrl.c is mishandled. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-26328 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2024-3447 CVE STATUS: Patched CVE SUMMARY: A heap-based buffer overflow was found in the SDHCI device emulation of QEMU. The bug is triggered when both `s->data_count` and the size of `s->fifo_buffer` are set to 0x200, leading to an out-of-bound access. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-3447 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2024-3567 CVE STATUS: Patched CVE SUMMARY: A flaw was found in QEMU. An assertion failure was present in the update_sctp_checksum() function in hw/net/net_tx_pkt.c when trying to calculate the checksum of a short-sized fragmented packet. This flaw allows a malicious guest to crash QEMU and cause a denial of service condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-3567 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2024-6505 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: this CVE is fixed since 9.1.0 CVE SUMMARY: A flaw was found in the virtio-net device in QEMU. When enabling the RSS feature on the virtio-net network card, the indirections_table data within RSS becomes controllable. Setting excessively large values may cause an index out-of-bounds issue, potentially resulting in heap overflow access. This flaw allows a privileged user in the guest to crash the QEMU process on the host. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-6505 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2024-6519 CVE STATUS: Unpatched CVE SUMMARY: A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI Host Bus Adapter emulation. This issue can lead to a crash or VM escape. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-6519 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2024-7730 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: this is fixed in v8.2.7 CVE SUMMARY: A heap buffer overflow was found in the virtio-snd device in QEMU. When reading input audio in the virtio-snd input callback, virtio_snd_pcm_in_cb, the function did not check whether the iov can fit the data buffer. This issue can trigger an out-of-bounds write if the size of the virtio queue element is equal to virtio_snd_pcm_status, which makes the available space for audio data zero. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7730 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2024-8354 CVE STATUS: Patched CVE SUMMARY: A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a USB device. This flaw may allow a malicious unprivileged guest user to crash the QEMU process on the host and cause a denial of service condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-8354 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2025-12464 CVE STATUS: Patched CVE SUMMARY: A stack-based buffer overflow was found in the QEMU e1000 network device. The code for padding short frames was dropped from individual network devices and moved to the net core code. The issue stems from the device's receive code still being able to process a short frame in loopback mode. This could lead to a buffer overrun in the e1000_receive_iov() function via the loopback code path. A malicious guest user could use this vulnerability to crash the QEMU process on the host, resulting in a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-12464 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2025-54566 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: This issue was introduced in v10.0.0-rc0 CVE SUMMARY: hw/pci/pcie_sriov.c in QEMU through 10.0.3 has a migration state inconsistency, a related issue to CVE-2024-26327. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.2 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-54566 LAYER: meta PACKAGE NAME: qemu PACKAGE VERSION: 8.2.7 CVE: CVE-2025-54567 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: This issue was introduced in v10.0.0-rc0 CVE SUMMARY: hw/pci/pcie_sriov.c in QEMU through 10.0.3 mishandles the VF Enable bit write mask, a related issue to CVE-2024-26327. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.2 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-54567 LAYER: meta PACKAGE NAME: lttng-ust PACKAGE VERSION: 2_2.13.8 CVE: CVE-2010-3386 CVE STATUS: Patched CVE SUMMARY: usttrace in LTTng Userspace Tracer (aka UST) 0.7 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3386 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2001-1147 CVE STATUS: Patched CVE SUMMARY: The PAM implementation in /bin/login of the util-linux package before 2.11 causes a password entry to be rewritten across multiple PAM calls, which could provide the credentials of one user to a different user, when used in certain PAM modules such as pam_limits. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1147 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2001-1175 CVE STATUS: Patched CVE SUMMARY: vipw in the util-linux package before 2.10 causes /etc/shadow to be world-readable in some cases, which would make it easier for local users to perform brute force password guessing. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1175 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2001-1494 CVE STATUS: Patched CVE SUMMARY: script command in the util-linux package before 2.11n allows local users to overwrite arbitrary files by setting a hardlink from the typescript log file to any file on the system, then having root execute the script command. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1494 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2003-0094 CVE STATUS: Patched CVE SUMMARY: A patch for mcookie in the util-linux package for Mandrake Linux 8.2 and 9.0 uses /dev/urandom instead of /dev/random, which causes mcookie to use an entropy source that is more predictable than expected, which may make it easier for certain types of attacks to succeed. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0094 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2004-0080 CVE STATUS: Patched CVE SUMMARY: The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0080 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2005-2876 CVE STATUS: Patched CVE SUMMARY: umount in util-linux 2.8 to 2.12q, 2.13-pre1, and 2.13-pre2, and other packages such as loop-aes-utils, allows local users with unmount permissions to gain privileges via the -r (remount) option, which causes the file system to be remounted with just the read-only flag, which effectively clears the nosuid, nodev, and other flags. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2876 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2006-7108 CVE STATUS: Patched CVE SUMMARY: login in util-linux-2.12a skips pam_acct_mgmt and chauth_tok when authentication is skipped, such as when a Kerberos krlogin session has been established, which might allow users to bypass intended access policies that would be enforced by pam_acct_mgmt and chauth_tok. CVSS v2 BASE SCORE: 4.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7108 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2007-5191 CVE STATUS: Patched CVE SUMMARY: mount and umount in util-linux and loop-aes-utils call the setuid and setgid functions in the wrong order and do not check the return values, which might allow attackers to gain privileges via helpers such as mount.nfs. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5191 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2008-1926 CVE STATUS: Patched CVE SUMMARY: Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an "addr=" statement to the login name, aka "audit log injection." CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1926 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2011-1675 CVE STATUS: Patched CVE SUMMARY: mount in util-linux 2.19 and earlier attempts to append to the /etc/mtab.tmp file without first checking whether resource limits would interfere, which allows local users to trigger corruption of the /etc/mtab file via a process with a small RLIMIT_FSIZE value, a related issue to CVE-2011-1089. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1675 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2011-1676 CVE STATUS: Patched CVE SUMMARY: mount in util-linux 2.19 and earlier does not remove the /etc/mtab.tmp file after a failed attempt to add a mount entry, which allows local users to trigger corruption of the /etc/mtab file via multiple invocations. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1676 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2011-1677 CVE STATUS: Patched CVE SUMMARY: mount in util-linux 2.19 and earlier does not remove the /etc/mtab~ lock file after a failed attempt to add a mount entry, which has unspecified impact and local attack vectors. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1677 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2013-0157 CVE STATUS: Patched CVE SUMMARY: (a) mount and (b) umount in util-linux 2.14.1, 2.17.2, and probably other versions allow local users to determine the existence of restricted directories by (1) using the --guess-fstype command-line option or (2) attempting to mount a non-existent device, which generates different error messages depending on whether the directory exists. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0157 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2014-9114 CVE STATUS: Patched CVE SUMMARY: Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9114 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2015-5218 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5218 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2015-5224 CVE STATUS: Patched CVE SUMMARY: The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5224 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2016-2779 CVE STATUS: Patched CVE SUMMARY: runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2779 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2016-5011 CVE STATUS: Patched CVE SUMMARY: The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 4.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5011 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2017-2616 CVE STATUS: Patched CVE SUMMARY: A race condition was found in util-linux before 2.32.1 in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2616 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2018-7738 CVE STATUS: Patched CVE SUMMARY: In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7738 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2020-21583 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in hwclock.13-v2.27 allows attackers to gain escalated privlidges or execute arbitrary commands via the path parameter when setting the date. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21583 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2021-37600 CVE STATUS: Patched CVE SUMMARY: An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments. CVSS v2 BASE SCORE: 1.2 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-37600 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2021-3995 CVE STATUS: Patched CVE SUMMARY: A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows an unprivileged local attacker to unmount FUSE filesystems that belong to certain other users who have a UID that is a prefix of the UID of the attacker in its string form. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3995 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2021-3996 CVE STATUS: Patched CVE SUMMARY: A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows a local user on a vulnerable system to unmount other users' filesystems that are either world-writable themselves (like /tmp) or mounted in a world-writable directory. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3996 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2022-0563 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0563 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2024-28085 CVE STATUS: Patched CVE SUMMARY: wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-28085 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2026-27456 CVE STATUS: Unpatched CVE SUMMARY: util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-27456 LAYER: meta-xilinx-core PACKAGE NAME: util-linux-libuuid PACKAGE VERSION: 2.40.4 CVE: CVE-2026-3184 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3184 LAYER: meta PACKAGE NAME: libcap PACKAGE VERSION: 2.69 CVE: CVE-2011-4099 CVE STATUS: Patched CVE SUMMARY: The capsh program in libcap before 2.22 does not change the current working directory when the --chroot option is specified, which allows local users to bypass the chroot restrictions via unspecified vectors. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4099 LAYER: meta PACKAGE NAME: libcap PACKAGE VERSION: 2.69 CVE: CVE-2023-2602 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2602 LAYER: meta PACKAGE NAME: libcap PACKAGE VERSION: 2.69 CVE: CVE-2023-2603 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2603 LAYER: meta PACKAGE NAME: libcap PACKAGE VERSION: 2.69 CVE: CVE-2025-1390 CVE STATUS: Patched CVE SUMMARY: The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-1390 LAYER: meta PACKAGE NAME: libcap PACKAGE VERSION: 2.69 CVE: CVE-2026-4878 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-4878 LAYER: meta-oe PACKAGE NAME: protobuf-c PACKAGE VERSION: 1.5.0 CVE: CVE-2022-33070 CVE STATUS: Patched CVE SUMMARY: Protobuf-c v1.4.0 was discovered to contain an invalid arithmetic shift via the function parse_tag_and_wiretype in protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33070 LAYER: meta-oe PACKAGE NAME: protobuf-c PACKAGE VERSION: 1.5.0 CVE: CVE-2022-48468 CVE STATUS: Patched CVE SUMMARY: protobuf-c before 1.4.1 has an unsigned integer overflow in parse_required_member. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48468 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2004-0826 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in Netscape Network Security Services (NSS) library allows remote attackers to execute arbitrary code via a modified record length field in an SSLv2 client hello message. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0826 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2006-4340 CVE STATUS: Patched CVE SUMMARY: Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates, a similar vulnerability to CVE-2006-4339. NOTE: on 20061107, Mozilla released an advisory stating that these versions were not completely patched by MFSA2006-60. The newer fixes for 1.5.0.7 are covered by CVE-2006-5462. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4340 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2006-5462 CVE STATUS: Patched CVE SUMMARY: Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.8, Thunderbird before 1.5.0.8, and SeaMonkey before 1.0.6, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates. NOTE: this identifier is for unpatched product versions that were originally intended to be addressed by CVE-2006-4340. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5462 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2007-0008 CVE STATUS: Patched CVE SUMMARY: Integer underflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, SeaMonkey before 1.0.8, Thunderbird before 1.5.0.10, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via a crafted SSLv2 server message containing a public key that is too short to encrypt the "Master Secret", which results in a heap-based overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0008 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2007-0009 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, SeaMonkey before 1.0.8, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via invalid "Client Master Key" length values. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0009 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2009-2404 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in a regular-expression parser in Mozilla Network Security Services (NSS) before 3.12.3, as used in Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger (AIM), allows remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code via a long domain name in the subject's Common Name (CN) field of an X.509 certificate, related to the cert_TestHostName function. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2404 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2009-2408 CVE STATUS: Patched CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2408 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2009-2409 CVE STATUS: Patched CVE SUMMARY: The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2409 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2011-5094 CVE STATUS: Patched CVE SUMMARY: Mozilla Network Security Services (NSS) 3.x, with certain settings of the SSL_ENABLE_RENEGOTIATION option, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-1473. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-5094 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2012-0441 CVE STATUS: Patched CVE SUMMARY: The ASN.1 decoder in the QuickDER decoder in Mozilla Network Security Services (NSS) before 3.13.4, as used in Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10, allows remote attackers to cause a denial of service (application crash) via a zero-length item, as demonstrated by (1) a zero-length basic constraint or (2) a zero-length field in an OCSP response. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0441 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2013-0791 CVE STATUS: Patched CVE SUMMARY: The CERT_DecodeCertPackage function in Mozilla Network Security Services (NSS), as used in Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, SeaMonkey before 2.17, and other products, allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) via a crafted certificate. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0791 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2013-1620 CVE STATUS: Patched CVE SUMMARY: The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1620 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2013-1739 CVE STATUS: Patched CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1739 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2013-1740 CVE STATUS: Patched CVE SUMMARY: The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1740 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2013-1741 CVE STATUS: Patched CVE SUMMARY: Integer overflow in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1741 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2013-5605 CVE STATUS: Patched CVE SUMMARY: Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid handshake packets. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-5605 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2013-5606 CVE STATUS: Patched CVE SUMMARY: The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-5606 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2014-1490 CVE STATUS: Patched CVE SUMMARY: Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a session ticket. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1490 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2014-1491 CVE STATUS: Patched CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1491 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2014-1492 CVE STATUS: Patched CVE SUMMARY: The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1492 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2014-1544 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1544 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2014-1568 CVE STATUS: Patched CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before 31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2, Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124 on Windows and OS X, and Google Chrome OS before 37.0.2062.120, does not properly parse ASN.1 values in X.509 certificates, which makes it easier for remote attackers to spoof RSA signatures via a crafted certificate, aka a "signature malleability" issue. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1568 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2014-1569 CVE STATUS: Patched CVE SUMMARY: The definite_length_decoder function in lib/util/quickder.c in Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding of an ASN.1 length is properly formed, which allows remote attackers to conduct data-smuggling attacks by using a long byte sequence for an encoding, as demonstrated by the SEC_QuickDERDecodeItem function's improper handling of an arbitrary-length encoding of 0x00. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1569 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2015-2721 CVE STATUS: Patched CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.19, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, Thunderbird before 38.1, and other products, does not properly determine state transitions for the TLS state machine, which allows man-in-the-middle attackers to defeat cryptographic protection mechanisms by blocking messages, as demonstrated by removing a forward-secrecy property by blocking a ServerKeyExchange message, aka a "SMACK SKIP-TLS" issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2721 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2015-2730 CVE STATUS: Patched CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.19.1, as used in Mozilla Firefox before 39.0, Firefox ESR 31.x before 31.8 and 38.x before 38.1, and other products, does not properly perform Elliptical Curve Cryptography (ECC) multiplications, which makes it easier for remote attackers to spoof ECDSA signatures via unspecified vectors. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2730 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2015-4000 CVE STATUS: Patched CVE SUMMARY: The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4000 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2015-7181 CVE STATUS: Patched CVE SUMMARY: The sec_asn1d_parse_leaf function in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, improperly restricts access to an unspecified data structure, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data, related to a "use-after-poison" issue. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7181 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2015-7182 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7182 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2015-7183 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the PL_ARENA_ALLOCATE implementation in Netscape Portable Runtime (NSPR) in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7183 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2015-7575 CVE STATUS: Patched CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7575 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2016-1950 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in Mozilla Network Security Services (NSS) before 3.19.2.3 and 3.20.x and 3.21.x before 3.21.1, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute arbitrary code via crafted ASN.1 data in an X.509 certificate. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1950 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2016-1978 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the ssl3_HandleECDHServerKeyExchange function in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact by making an SSL (1) DHE or (2) ECDHE handshake at a time of high memory consumption. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1978 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2016-1979 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the PK11_ImportDERPrivateKeyInfoAndReturnKey function in Mozilla Network Security Services (NSS) before 3.21.1, as used in Mozilla Firefox before 45.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted key data with DER encoding. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1979 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2016-2834 CVE STATUS: Patched CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.23, as used in Mozilla Firefox before 47.0, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2834 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2016-8635 CVE STATUS: Patched CVE SUMMARY: It was found that Diffie Hellman Client key exchange handling in NSS 3.21.x was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8635 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2016-9574 CVE STATUS: Patched CVE SUMMARY: nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9574 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2017-11695 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db CVE SUMMARY: Heap-based buffer overflow in the alloc_segs function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11695 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2017-11696 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db CVE SUMMARY: Heap-based buffer overflow in the __hash_open function in lib/dbm/src/hash.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11696 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2017-11697 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db CVE SUMMARY: The __hash_open function in hash.c:229 in Mozilla Network Security Services (NSS) allows context-dependent attackers to cause a denial of service (floating point exception and crash) via a crafted cert8.db file. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11697 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2017-11698 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db CVE SUMMARY: Heap-based buffer overflow in the __get_page function in lib/dbm/src/h_page.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11698 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2017-5461 CVE STATUS: Patched CVE SUMMARY: Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by leveraging incorrect base64 operations. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5461 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2017-5462 CVE STATUS: Patched CVE SUMMARY: A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox ESR 52.1 has been updated with NSS version 3.28.4. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5462 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2017-7502 CVE STATUS: Patched CVE SUMMARY: Null pointer dereference vulnerability in NSS since 3.24.0 was found when server receives empty SSLv2 messages resulting into denial of service by remote attacker. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7502 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2018-12384 CVE STATUS: Patched CVE SUMMARY: When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12384 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2018-12404 CVE STATUS: Patched CVE SUMMARY: A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12404 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2018-18508 CVE STATUS: Patched CVE SUMMARY: In Network Security Services (NSS) before 3.36.7 and before 3.41.1, a malformed signature can cause a crash due to a null dereference, resulting in a Denial of Service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18508 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2019-17006 CVE STATUS: Patched CVE SUMMARY: In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17006 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2019-17007 CVE STATUS: Patched CVE SUMMARY: In Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17007 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2020-25648 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25648 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2022-3479 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: vulnerability was introduced in 3.77 and fixed in 3.87 CVE SUMMARY: A vulnerability found in nss. By this security vulnerability, nss client auth crash without a user certificate in the database and this can lead us to a segmentation fault or crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3479 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2024-6602 CVE STATUS: Patched CVE SUMMARY: A mismatch between allocator and deallocator could have led to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-6602 LAYER: meta-oe PACKAGE NAME: nss PACKAGE VERSION: 3.98 CVE: CVE-2024-6609 CVE STATUS: Patched CVE SUMMARY: When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128 and Thunderbird < 128. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-6609 LAYER: meta PACKAGE NAME: wayland PACKAGE VERSION: 1.22.0 CVE: CVE-2021-3782 CVE STATUS: Patched CVE SUMMARY: An internal reference count is held on the buffer pool, incremented every time a new buffer is created from the pool. The reference count is maintained as an int; on LP64 systems this can cause the reference count to overflow if the client creates a large number of wl_shm buffer objects, or if it can coerce the server to create a large number of external references to the buffer storage. With the reference count overflowing, a use-after-free can be constructed on the wl_shm_pool tracking structure, where values may be incremented or decremented; it may also be possible to construct a limited oracle to leak 4 bytes of server-side memory to the attacking client at a time. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3782 LAYER: meta PACKAGE NAME: libxtst PACKAGE VERSION: 1_1.2.4 CVE: CVE-2013-2063 CVE STATUS: Patched CVE SUMMARY: Integer overflow in X.org libXtst 1.2.1 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the XRecordGetContext function. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2063 LAYER: meta PACKAGE NAME: libxtst PACKAGE VERSION: 1_1.2.4 CVE: CVE-2016-7951 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in X.org libXtst before 1.2.3 allow remote X servers to trigger out-of-bounds memory access operations by leveraging the lack of range checks. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7951 LAYER: meta PACKAGE NAME: libxtst PACKAGE VERSION: 1_1.2.4 CVE: CVE-2016-7952 CVE STATUS: Patched CVE SUMMARY: X.org libXtst before 1.2.3 allows remote X servers to cause a denial of service (infinite loop) via a reply in the (1) XRecordStartOfData, (2) XRecordEndOfData, or (3) XRecordClientDied category without a client sequence and with attached data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7952 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2007-3919 CVE STATUS: Patched CVE SUMMARY: (1) xenbaked and (2) xenmon.py in Xen 3.1 and earlier allow local users to truncate arbitrary files via a symlink attack on /tmp/xenq-shm. CVSS v2 BASE SCORE: 6.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:S/C:N/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3919 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2007-4993 CVE STATUS: Patched CVE SUMMARY: pygrub (tools/pygrub/src/GrubConf.py) in Xen 3.0.3, when booting a guest domain, allows local users with elevated privileges in the guest domain to execute arbitrary commands in domain 0 via a crafted grub.conf file whose contents are used in exec statements. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4993 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2007-5906 CVE STATUS: Patched CVE SUMMARY: Xen 3.1.1 allows virtual guest system users to cause a denial of service (hypervisor crash) by using a debug register (DR7) to set certain breakpoints. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5906 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2007-5907 CVE STATUS: Patched CVE SUMMARY: Xen 3.1.1 does not prevent modification of the CR4 TSC from applications, which allows pv guests to cause a denial of service (crash). CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5907 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2007-6207 CVE STATUS: Patched CVE SUMMARY: Xen 3.x, possibly before 3.1.2, when running on IA64 systems, does not check the RID value for mov_to_rr, which allows a VTi domain to read memory of other domains. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6207 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2007-6416 CVE STATUS: Patched CVE SUMMARY: The copy_to_user function in the PAL emulation functionality for Xen 3.1.2 and earlier, when running on ia64 systems, allows HVM guest users to access arbitrary physical memory by triggering certain mapping operations. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6416 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2008-1619 CVE STATUS: Patched CVE SUMMARY: The ssm_i emulation in Xen 5.1 on IA64 architectures allows attackers to cause a denial of service (dom0 panic) via certain traffic, as demonstrated using an FTP stress test tool. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1619 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2008-1943 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the backend of XenSource Xen Para Virtualized Frame Buffer (PVFB) 3.0 through 3.1.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a crafted description of a shared framebuffer. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1943 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2008-1944 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the backend framebuffer of XenSource Xen Para-Virtualized Framebuffer (PVFB) Message 3.0 through 3.0.3 allows local users to cause a denial of service (SDL crash) and possibly execute arbitrary code via "bogus screen updates," related to missing validation of the "format of messages." CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1944 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2008-3687 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the flask_security_label function in Xen 3.3, when compiled with the XSM:FLASK module, allows unprivileged domain users (domU) to execute arbitrary code via the flask_op hypercall. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3687 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2008-4405 CVE STATUS: Patched CVE SUMMARY: xend in Xen 3.0.3 does not properly limit the contents of the /local/domain xenstore directory tree, and does not properly restrict a guest VM's write access within this tree, which allows guest OS users to cause a denial of service and possibly have unspecified other impact by writing to (1) console/tty, (2) console/limit, or (3) image/device-model-pid. NOTE: this issue was originally reported as an issue in libvirt 0.3.3 and xenstore, but CVE is considering the core issue to be related to Xen. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4405 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2008-4993 CVE STATUS: Patched CVE SUMMARY: qemu-dm.debug in Xen 3.2.1 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/args temporary file. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4993 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2008-5716 CVE STATUS: Patched CVE SUMMARY: xend in Xen 3.3.0 does not properly restrict a guest VM's write access within the /local/domain xenstore directory tree, which allows guest OS users to cause a denial of service and possibly have unspecified other impact by writing to (1) console/tty, (2) console/limit, or (3) image/device-model-pid. NOTE: this issue exists because of erroneous set_permissions calls in the fix for CVE-2008-4405. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5716 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2009-1758 CVE STATUS: Patched CVE SUMMARY: The hypervisor_callback function in Xen, possibly before 3.4.0, as applied to the Linux kernel 2.6.30-rc4, 2.6.18, and probably other versions allows guest user applications to cause a denial of service (kernel oops) of the guest OS by triggering a segmentation fault in "certain address ranges." CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1758 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2009-3525 CVE STATUS: Patched CVE SUMMARY: The pyGrub boot loader in Xen 3.0.3, 3.3.0, and Xen-3.3.1 does not support the password option in grub.conf for para-virtualized guests, which allows attackers with access to the para-virtualized guest console to boot the guest or modify the guest's kernel boot parameters without providing the expected password. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3525 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2010-2070 CVE STATUS: Patched CVE SUMMARY: arch/ia64/xen/faults.c in Xen 3.4 and 4.0 in Linux kernel 2.6.18, and possibly other kernel versions, when running on IA-64 architectures, allows local users to cause a denial of service and "turn on BE by modifying the user mask of the PSR," as demonstrated via exploitation of CVE-2006-0742. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2070 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2010-3699 CVE STATUS: Patched CVE SUMMARY: The backend driver in Xen 3.x allows guest OS users to cause a denial of service via a kernel thread leak, which prevents the device and guest OS from being shut down or create a zombie domain, causes a hang in zenwatch, or prevents unspecified xm commands from working properly, related to (1) netback, (2) blkback, or (3) blktap. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3699 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2010-4238 CVE STATUS: Patched CVE SUMMARY: The vbd_create function in Xen 3.1.2, when the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5 is used, allows guest OS users to cause a denial of service (host OS panic) via an attempted access to a virtual CD-ROM device through the blkback driver. NOTE: some of these details are obtained from third party information. CVSS v2 BASE SCORE: 5.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4238 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2010-4247 CVE STATUS: Patched CVE SUMMARY: The do_block_io_op function in (1) drivers/xen/blkback/blkback.c and (2) drivers/xen/blktap/blktap.c in Xen before 3.4.0 for the Linux kernel 2.6.18, and possibly other versions, allows guest OS users to cause a denial of service (infinite loop and CPU consumption) via a large production request index to the blkback or blktap back-end drivers. NOTE: some of these details are obtained from third party information. CVSS v2 BASE SCORE: 5.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4247 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2010-4255 CVE STATUS: Patched CVE SUMMARY: The fixup_page_fault function in arch/x86/traps.c in Xen 4.0.1 and earlier on 64-bit platforms, when paravirtualization is enabled, does not verify that kernel mode is used to call the handle_gdt_ldt_mapping_fault function, which allows guest OS users to cause a denial of service (host OS BUG_ON) via a crafted memory access. CVSS v2 BASE SCORE: 6.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4255 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2011-1166 CVE STATUS: Patched CVE SUMMARY: Xen, possibly before 4.0.2, allows local 64-bit PV guests to cause a denial of service (host crash) by specifying user mode execution without user-mode pagetables. CVSS v2 BASE SCORE: 5.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1166 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2011-1583 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in tools/libxc/xc_dom_bzimageloader.c in Xen 3.2, 3.3, 4.0, and 4.1 allow local users to cause a denial of service and possibly execute arbitrary code via a crafted paravirtualised guest kernel image that triggers (1) a buffer overflow during a decompression loop or (2) an out-of-bounds read in the loader involving unspecified length fields. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1583 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2011-1763 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: pygrub auth bypass; only affected Xen 3.x, code path no longer exists CVE SUMMARY: The get_free_port function in Xen allows local authenticated DomU users to cause a denial of service or possibly gain privileges via unspecified vectors involving a new event channel port. CVSS v2 BASE SCORE: 7.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1763 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2011-1780 CVE STATUS: Patched CVE SUMMARY: The instruction emulation in Xen 3.0.3 allows local SMP guest users to cause a denial of service (host crash) by replacing the instruction that causes the VM to exit in one thread with a different instruction in a different thread. CVSS v2 BASE SCORE: 6.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1780 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2011-1898 CVE STATUS: Patched CVE SUMMARY: Xen 4.1 before 4.1.1 and 4.0 before 4.0.2, when using PCI passthrough on Intel VT-d chipsets that do not have interrupt remapping, allows guest OS users to gain host OS privileges by "using DMA to generate MSI interrupts by writing to the interrupt injection registers." CVSS v2 BASE SCORE: 7.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1898 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2011-1936 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: qemu/Linux KVM vmx cpuid issue; not a Xen issue CVE SUMMARY: Xen, when using x86 Intel processors and the VMX virtualization extension is enabled, does not properly handle cpuid instruction emulation when exiting the VM, which allows local guest users to cause a denial of service (guest crash) via unspecified vectors. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:H/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1936 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2011-2519 CVE STATUS: Patched CVE SUMMARY: Xen in the Linux kernel, when running a guest on a host without hardware assisted paging (HAP), allows guest users to cause a denial of service (invalid pointer dereference and hypervisor crash) via the SAHF instruction. CVSS v2 BASE SCORE: 5.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2519 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2011-2901 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the __addr_ok macro in Xen 3.3 and earlier allows local 64 bit PV guest administrators to cause a denial of service (host crash) via unspecified hypercalls that ignore virtual-address bits. CVSS v2 BASE SCORE: 5.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2901 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2011-3131 CVE STATUS: Patched CVE SUMMARY: Xen 4.1.1 and earlier allows local guest OS kernels with control of a PCI[E] device to cause a denial of service (CPU consumption and host hang) via many crafted DMA requests that are denied by the IOMMU, which triggers a livelock. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3131 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2011-3262 CVE STATUS: Patched CVE SUMMARY: tools/libxc/xc_dom_bzimageloader.c in Xen 3.2, 3.3, 4.0, and 4.1 allows local users to cause a denial of service (management software infinite loop and management domain resource consumption) via unspecified vectors related to "Lack of error checking in the decompression loop." CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3262 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2011-3346 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: QEMU SCSI hw/scsi-disk.c overflow; QEMU not built by this recipe CVE SUMMARY: Buffer overflow in hw/scsi-disk.c in the SCSI subsystem in QEMU before 0.15.2, as used by Xen, might allow local guest users with permission to access the CD-ROM to cause a denial of service (guest crash) via a crafted SAI READ CAPACITY SCSI command. NOTE: this is only a vulnerability when root has manually modified certain permissions or ACLs. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3346 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-0217 CVE STATUS: Patched CVE SUMMARY: The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and other products; Oracle Solaris 11 and earlier; illumos before r13724; Joyent SmartOS before 20120614T184600Z; FreeBSD before 9.0-RELEASE-p3; NetBSD 6.0 Beta and earlier; Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1; and possibly other operating systems, when running on an Intel processor, incorrectly uses the sysret path in cases where a certain address is not a canonical address, which allows local users to gain privileges via a crafted application. NOTE: because this issue is due to incorrect use of the Intel specification, it should have been split into separate identifiers; however, there was some value in preserving the original mapping of the multi-codebase coordinated-disclosure effort to a single identifier. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0217 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-0218 CVE STATUS: Patched CVE SUMMARY: Xen 3.4, 4.0, and 4.1, when the guest OS has not registered a handler for a syscall or sysenter instruction, does not properly clear a flag for exception injection when injecting a General Protection Fault, which allows local PV guest OS users to cause a denial of service (guest crash) by later triggering an exception that would normally be handled within Xen. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0218 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-2625 CVE STATUS: Patched CVE SUMMARY: The PyGrub boot loader in Xen unstable before changeset 25589:60f09d1ab1fe, 4.2.x, and 4.1.x allows local para-virtualized guest users to cause a denial of service (memory consumption) via a large (1) bzip2 or (2) lzma compressed kernel image. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2625 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-2934 CVE STATUS: Patched CVE SUMMARY: Xen 4.0, and 4.1, when running a 64-bit PV guest on "older" AMD CPUs, does not properly protect against a certain AMD processor bug, which allows local guest OS users to cause a denial of service (host hang) via sequential execution of instructions across a non-canonical boundary, a different vulnerability than CVE-2012-0217. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2934 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-3432 CVE STATUS: Patched CVE SUMMARY: The handle_mmio function in arch/x86/hvm/io.c in the MMIO operations emulator for Xen 3.3 and 4.x, when running an HVM guest, does not properly reset certain state information between emulation cycles, which allows local guest OS users to cause a denial of service (guest OS crash) via unspecified operations on MMIO regions. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3432 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-3433 CVE STATUS: Patched CVE SUMMARY: Xen 4.0 and 4.1 allows local HVM guest OS kernels to cause a denial of service (domain 0 VCPU hang and kernel panic) by modifying the physical address space in a way that triggers excessive shared page search time during the p2m teardown. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3433 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-3494 CVE STATUS: Patched CVE SUMMARY: The set_debugreg hypercall in include/asm-x86/debugreg.h in Xen 4.0, 4.1, and 4.2, and Citrix XenServer 6.0.2 and earlier, when running on x86-64 systems, allows local OS guest users to cause a denial of service (host crash) by writing to the reserved bits of the DR7 debug control register. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3494 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-3495 CVE STATUS: Patched CVE SUMMARY: The physdev_get_free_pirq hypercall in arch/x86/physdev.c in Xen 4.1.x and Citrix XenServer 6.0.2 and earlier uses the return value of the get_free_pirq function as an array index without checking that the return value indicates an error, which allows guest OS users to cause a denial of service (invalid memory write and host crash) and possibly gain privileges via unspecified vectors. CVSS v2 BASE SCORE: 6.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3495 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-3496 CVE STATUS: Patched CVE SUMMARY: XENMEM_populate_physmap in Xen 4.0, 4.1, and 4.2, and Citrix XenServer 6.0.2 and earlier, when translating paging mode is not used, allows local PV OS guest kernels to cause a denial of service (BUG triggered and host crash) via invalid flags such as MEMF_populate_on_demand. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3496 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-3497 CVE STATUS: Patched CVE SUMMARY: (1) TMEMC_SAVE_GET_CLIENT_WEIGHT, (2) TMEMC_SAVE_GET_CLIENT_CAP, (3) TMEMC_SAVE_GET_CLIENT_FLAGS and (4) TMEMC_SAVE_END in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (NULL pointer dereference or memory corruption and host crash) or possibly have other unspecified impacts via a NULL client id. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3497 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-3498 CVE STATUS: Patched CVE SUMMARY: PHYSDEVOP_map_pirq in Xen 4.1 and 4.2 and Citrix XenServer 6.0.2 and earlier allows local HVM guest OS kernels to cause a denial of service (host crash) and possibly read hypervisor or guest memory via vectors related to a missing range check of map->index. CVSS v2 BASE SCORE: 5.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3498 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-3515 CVE STATUS: Patched CVE SUMMARY: Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a "device model's address space." CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3515 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-3516 CVE STATUS: Patched CVE SUMMARY: The GNTTABOP_swap_grant_ref sub-operation in the grant table hypercall in Xen 4.2 and Citrix XenServer 6.0.2 allows local guest kernels or administrators to cause a denial of service (host crash) and possibly gain privileges via a crafted grant reference that triggers a write to an arbitrary hypervisor memory location. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3516 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-4411 CVE STATUS: Patched CVE SUMMARY: The graphical console in Xen 4.0, 4.1 and 4.2 allows local OS guest administrators to obtain sensitive host resource information via the qemu monitor. NOTE: this might be a duplicate of CVE-2007-0998. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:C/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4411 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-4535 CVE STATUS: Patched CVE SUMMARY: Xen 3.4 through 4.2, and possibly earlier versions, allows local guest OS administrators to cause a denial of service (Xen infinite loop and physical CPU consumption) by setting a VCPU with an "inappropriate deadline." CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4535 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-4536 CVE STATUS: Patched CVE SUMMARY: The (1) domain_pirq_to_emuirq and (2) physdev_unmap_pirq functions in Xen 2.2 allows local guest OS administrators to cause a denial of service (Xen crash) via a crafted pirq value that triggers an out-of-bounds read. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4536 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-4537 CVE STATUS: Patched CVE SUMMARY: Xen 3.4 through 4.2, and possibly earlier versions, does not properly synchronize the p2m and m2p tables when the set_p2m_entry function fails, which allows local HVM guest OS administrators to cause a denial of service (memory consumption and assertion failure), aka "Memory mapping failure DoS vulnerability." CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4537 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-4538 CVE STATUS: Patched CVE SUMMARY: The HVMOP_pagetable_dying hypercall in Xen 4.0, 4.1, and 4.2 does not properly check the pagetable state when running on shadow pagetables, which allows a local HVM guest OS to cause a denial of service (hypervisor crash) via unspecified vectors. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4538 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-4539 CVE STATUS: Patched CVE SUMMARY: Xen 4.0 through 4.2, when running 32-bit x86 PV guests on 64-bit hypervisors, allows local guest OS administrators to cause a denial of service (infinite loop and hang or crash) via invalid arguments to GNTTABOP_get_status_frames, aka "Grant table hypercall infinite loop DoS vulnerability." CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4539 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-4544 CVE STATUS: Patched CVE SUMMARY: The PV domain builder in Xen 4.2 and earlier does not validate the size of the kernel or ramdisk (1) before or (2) after decompression, which allows local guest administrators to cause a denial of service (domain 0 memory consumption) via a crafted (a) kernel or (b) ramdisk. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4544 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-5510 CVE STATUS: Patched CVE SUMMARY: Xen 4.x, when downgrading the grant table version, does not properly remove the status page from the tracking list when freeing the page, which allows local guest OS administrators to cause a denial of service (hypervisor crash) via unspecified vectors. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5510 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-5511 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the dirty video RAM tracking functionality in Xen 3.4 through 4.1 allows local HVM guest OS administrators to cause a denial of service (crash) via a large bitmap image. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5511 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-5513 CVE STATUS: Patched CVE SUMMARY: The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which allows local PV guest OS administrators to cause a denial of service (crash) or possibly gain privileges via unspecified vectors that overwrite memory in the hypervisor reserved range. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5513 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-5514 CVE STATUS: Patched CVE SUMMARY: The guest_physmap_mark_populate_on_demand function in Xen 4.2 and earlier does not properly unlock the subject GFNs when checking if they are in use, which allows local guest HVM administrators to cause a denial of service (hang) via unspecified vectors. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5514 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-5515 CVE STATUS: Patched CVE SUMMARY: The (1) XENMEM_decrease_reservation, (2) XENMEM_populate_physmap, and (3) XENMEM_exchange hypercalls in Xen 4.2 and earlier allow local guest administrators to cause a denial of service (long loop and hang) via a crafted extent_order value. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5515 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-5525 CVE STATUS: Patched CVE SUMMARY: The get_page_from_gfn hypercall function in Xen 4.2 allows local PV guest OS administrators to cause a denial of service (crash) via a crafted GFN that triggers a buffer over-read. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5525 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-5634 CVE STATUS: Patched CVE SUMMARY: Xen 4.2.x, 4.1.x, and 4.0, when using Intel VT-d for PCI passthrough, does not properly configure VT-d when supporting a device that is behind a legacy PCI Bridge, which allows local guests to cause a denial of service to other guests by injecting an interrupt. CVSS v2 BASE SCORE: 6.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5634 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-6030 CVE STATUS: Patched CVE SUMMARY: The do_tmem_op function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (host crash) and possibly have other unspecified impacts via unspecified vectors related to "broken locking checks" in an "error path." NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6030 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-6031 CVE STATUS: Patched CVE SUMMARY: The do_tmem_get function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (CPU hang and host crash) via unspecified vectors related to a spinlock being held in the "bad_copy error path." NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6031 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-6032 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the (1) tmh_copy_from_client and (2) tmh_copy_to_client functions in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (memory corruption and host crash) via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6032 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-6033 CVE STATUS: Patched CVE SUMMARY: The do_tmem_control function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 does not properly check privileges, which allows local guest OS users to access control stack operations via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6033 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-6034 CVE STATUS: Patched CVE SUMMARY: The (1) tmemc_save_get_next_page and (2) tmemc_save_get_next_inv functions and the (3) TMEMC_SAVE_GET_POOL_UUID sub-operation in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 "do not check incoming guest output buffer pointers," which allows local guest OS users to cause a denial of service (memory corruption and host crash) or execute arbitrary code via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6034 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-6035 CVE STATUS: Patched CVE SUMMARY: The do_tmem_destroy_pool function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 does not properly validate pool ids, which allows local guest OS users to cause a denial of service (memory corruption and host crash) or execute arbitrary code via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6035 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-6036 CVE STATUS: Patched CVE SUMMARY: The (1) memc_save_get_next_page, (2) tmemc_restore_put_page and (3) tmemc_restore_flush_page functions in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 do not check for negative id pools, which allows local guest OS users to cause a denial of service (memory corruption and host crash) or possibly execute arbitrary code via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6036 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2012-6333 CVE STATUS: Patched CVE SUMMARY: Multiple HVM control operations in Xen 3.4 through 4.2 allow local HVM guest OS administrators to cause a denial of service (physical CPU consumption) via a large input. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6333 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-0151 CVE STATUS: Patched CVE SUMMARY: The do_hvm_op function in xen/arch/x86/hvm/hvm.c in Xen 4.2.x on the x86_32 platform does not prevent HVM_PARAM_NESTEDHVM (aka nested virtualization) operations, which allows guest OS users to cause a denial of service (long-duration page mappings and host OS crash) by leveraging administrative access to an HVM guest in a domain with a large number of VCPUs. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:H/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0151 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-0152 CVE STATUS: Patched CVE SUMMARY: Memory leak in Xen 4.2 and unstable allows local HVM guests to cause a denial of service (host memory consumption) by performing nested virtualization in a way that triggers errors that are not properly handled. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0152 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-0153 CVE STATUS: Patched CVE SUMMARY: The AMD IOMMU support in Xen 4.2.x, 4.1.x, 3.3, and other versions, when using AMD-Vi for PCI passthrough, uses the same interrupt remapping table for the host and all guests, which allows guests to cause a denial of service by injecting an interrupt into other guests. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0153 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-0154 CVE STATUS: Patched CVE SUMMARY: The get_page_type function in xen/arch/x86/mm.c in Xen 4.2, when debugging is enabled, allows local PV or HVM guest administrators to cause a denial of service (assertion failure and hypervisor crash) via unspecified vectors related to a hypercall. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0154 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-0215 CVE STATUS: Patched CVE SUMMARY: oxenstored in Xen 4.1.x, Xen 4.2.x, and xen-unstable does not properly consider the state of the Xenstore ring during read operations, which allows guest OS users to cause a denial of service (daemon crash and host-control outage, or memory consumption) or obtain sensitive control-plane data by leveraging guest administrative access. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0215 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-0231 CVE STATUS: Patched CVE SUMMARY: The pciback_enable_msi function in the PCI backend driver (drivers/xen/pciback/conf_space_capability_msi.c) in Xen for the Linux kernel 2.6.18 and 3.8 allows guest OS users with PCI device access to cause a denial of service via a large number of kernel log messages. NOTE: some of these details are obtained from third party information. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0231 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-1432 CVE STATUS: Patched CVE SUMMARY: Xen 4.1.x and 4.2.x, when the XSA-45 patch is in place, does not properly maintain references on pages stored for deferred cleanup, which allows local PV guest kernels to cause a denial of service (premature page free and hypervisor crash) or possibly gain privileges via unspecified vectors. CVSS v2 BASE SCORE: 7.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1432 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-1442 CVE STATUS: Patched CVE SUMMARY: Xen 4.0 through 4.3.x, when using AVX or LWP capable CPUs, does not properly clear previous data from registers when using an XSAVE or XRSTOR to extend the state components of a saved or restored vCPU after touching other restored extended registers, which allows local guest OSes to obtain sensitive information by reading the registers. CVSS v2 BASE SCORE: 1.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1442 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-1917 CVE STATUS: Patched CVE SUMMARY: Xen 3.1 through 4.x, when running 64-bit hosts on Intel CPUs, does not clear the NT flag when using an IRET after a SYSENTER instruction, which allows PV guest users to cause a denial of service (hypervisor crash) by triggering a #GP fault, which is not properly handled by another IRET instruction. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1917 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-1918 CVE STATUS: Patched CVE SUMMARY: Certain page table manipulation operations in Xen 4.1.x, 4.2.x, and earlier are not preemptible, which allows local PV kernels to cause a denial of service via vectors related to "deep page table traversal." CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1918 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-1919 CVE STATUS: Patched CVE SUMMARY: Xen 4.2.x and 4.1.x does not properly restrict access to IRQs, which allows local stub domain clients to gain access to IRQs and cause a denial of service via vectors related to "passed-through IRQs or PCI devices." CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1919 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-1920 CVE STATUS: Patched CVE SUMMARY: Xen 4.2.x, 4.1.x, and earlier, when the hypervisor is running "under memory pressure" and the Xen Security Module (XSM) is enabled, uses the wrong ordering of operations when extending the per-domain event channel tracking table, which causes a use-after-free and allows local guest kernels to inject arbitrary events and gain privileges via unspecified vectors. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1920 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-1922 CVE STATUS: Patched CVE SUMMARY: qemu-nbd in QEMU, as used in Xen 4.2.x, determines the format of a raw disk image based on the header, which allows local guest OS administrators to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted, a different vulnerability than CVE-2008-2004. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1922 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-1952 CVE STATUS: Patched CVE SUMMARY: Xen 4.x, when using Intel VT-d for a bus mastering capable PCI device, does not properly check the source when accessing a bridge device's interrupt remapping table entries for MSI interrupts, which allows local guest domains to cause a denial of service (interrupt injection) via unspecified vectors. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1952 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-1964 CVE STATUS: Patched CVE SUMMARY: Xen 4.0.x and 4.1.x incorrectly releases a grant reference when releasing a non-v1, non-transitive grant, which allows local guest administrators to cause a denial of service (host crash), obtain sensitive information, or possibly have other impacts via unspecified vectors. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1964 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-2072 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the Python bindings for the xc_vcpu_setaffinity call in Xen 4.0.x, 4.1.x, and 4.2.x allows local administrators with permissions to configure VCPU affinity to cause a denial of service (memory corruption and xend toolstack crash) and possibly gain privileges via a crafted cpumap. CVSS v2 BASE SCORE: 7.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2072 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-2076 CVE STATUS: Patched CVE SUMMARY: Xen 4.0.x, 4.1.x, and 4.2.x, when running on AMD64 processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an exception is pending, which allows one domain to determine portions of the state of floating point instructions of other domains, which can be leveraged to obtain sensitive information such as cryptographic keys, a similar vulnerability to CVE-2006-1056. NOTE: this is the documented behavior of AMD64 processors, but it is inconsistent with Intel processors in a security-relevant fashion that was not addressed by the kernels. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:H/Au:S/C:C/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2076 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-2077 CVE STATUS: Patched CVE SUMMARY: Xen 4.0.x, 4.1.x, and 4.2.x does not properly restrict the contents of a XRSTOR, which allows local PV guest users to cause a denial of service (unhandled exception and hypervisor crash) via unspecified vectors. CVSS v2 BASE SCORE: 5.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2077 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-2078 CVE STATUS: Patched CVE SUMMARY: Xen 4.0.2 through 4.0.4, 4.1.x, and 4.2.x allows local PV guest users to cause a denial of service (hypervisor crash) via certain bit combinations to the XSETBV instruction. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2078 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-2194 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2194 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-2195 CVE STATUS: Patched CVE SUMMARY: The Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to "pointer dereferences" involving unexpected calculations. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2195 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-2196 CVE STATUS: Patched CVE SUMMARY: Multiple unspecified vulnerabilities in the Elf parser (libelf) in Xen 4.2.x and earlier allow local guest administrators with certain permissions to have an unspecified impact via a crafted kernel, related to "other problems" that are not CVE-2013-2194 or CVE-2013-2195. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2196 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-2211 CVE STATUS: Patched CVE SUMMARY: The libxenlight (libxl) toolstack library in Xen 4.0.x, 4.1.x, and 4.2.x uses weak permissions for xenstore keys for paravirtualised and emulated serial console devices, which allows local guest administrators to modify the xenstore value via unspecified vectors. CVSS v2 BASE SCORE: 7.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2211 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-2212 CVE STATUS: Patched CVE SUMMARY: The vmx_set_uc_mode function in Xen 3.3 through 4.3, when disabling caches, allows local HVM guests with access to memory mapped I/O regions to cause a denial of service (CPU consumption and possibly hypervisor or guest kernel panic) via a crafted GFN range. CVSS v2 BASE SCORE: 5.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2212 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-3495 CVE STATUS: Patched CVE SUMMARY: The Intel VT-d Interrupt Remapping engine in Xen 3.3.x through 4.3.x allows local guests to cause a denial of service (kernel panic) via a malformed Message Signaled Interrupt (MSI) from a PCI device that is bus mastering capable that triggers a System Error Reporting (SERR) Non-Maskable Interrupt (NMI). CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3495 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-4329 CVE STATUS: Patched CVE SUMMARY: The xenlight library (libxl) in Xen 4.0.x through 4.2.x, when IOMMU is disabled, provides access to a busmastering-capable PCI passthrough device before the IOMMU setup is complete, which allows local HVM guest domains to gain privileges or cause a denial of service via a DMA instruction. CVSS v2 BASE SCORE: 6.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:H/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4329 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-4355 CVE STATUS: Patched CVE SUMMARY: Xen 4.3.x and earlier does not properly handle certain errors, which allows local HVM guests to obtain hypervisor stack memory via a (1) port or (2) memory mapped I/O write or (3) other unspecified operations related to addresses without associated memory. CVSS v2 BASE SCORE: 1.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:S/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4355 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-4356 CVE STATUS: Patched CVE SUMMARY: Xen 4.3.x writes hypervisor mappings to certain shadow pagetables when live migration is performed on hosts with more than 5TB of RAM, which allows local 64-bit PV guests to read or write to invalid memory and cause a denial of service (crash). CVSS v2 BASE SCORE: 5.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4356 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-4361 CVE STATUS: Patched CVE SUMMARY: The fbld instruction emulation in Xen 3.3.x through 4.3.x does not use the correct variable for the source effective address, which allows local HVM guests to obtain hypervisor stack information by reading the values used by the instruction. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4361 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-4368 CVE STATUS: Patched CVE SUMMARY: The outs instruction emulation in Xen 3.1.x, 4.2.x, 4.3.x, and earlier, when using FS: or GS: segment override, uses an uninitialized variable as a segment base, which allows local 64-bit PV guests to obtain sensitive information (hypervisor stack content) via unspecified vectors related to stale data in a segment register. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4368 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-4369 CVE STATUS: Patched CVE SUMMARY: The xlu_vif_parse_rate function in the libxlu library in Xen 4.2.x and 4.3.x allows local users to cause a denial of service (NULL pointer dereference) by using the "@" character as the VIF rate configuration. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4369 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-4370 CVE STATUS: Patched CVE SUMMARY: The ocaml binding for the xc_vcpu_getaffinity function in Xen 4.2.x and 4.3.x frees certain memory that may still be intended for use, which allows local users to cause a denial of service (heap corruption and crash) and possibly execute arbitrary code via unspecified vectors that trigger a (1) use-after-free or (2) double free. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4370 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-4371 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the libxl_list_cpupool function in the libxl toolstack library in Xen 4.2.x and 4.3.x, when running "under memory pressure," returns the original pointer when the realloc function fails, which allows local users to cause a denial of service (heap corruption and crash) and possibly execute arbitrary code via unspecified vectors. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4371 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-4375 CVE STATUS: Patched CVE SUMMARY: The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before 4.3.1, and qemu 1.1 and other versions, allows local HVM guests to cause a denial of service (domain grant reference consumption) via unspecified vectors. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4375 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-4416 CVE STATUS: Patched CVE SUMMARY: The Ocaml xenstored implementation (oxenstored) in Xen 4.1.x, 4.2.x, and 4.3.x allows local guest domains to cause a denial of service (domain shutdown) via a large message reply. CVSS v2 BASE SCORE: 5.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4416 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-4494 CVE STATUS: Patched CVE SUMMARY: Xen before 4.1.x, 4.2.x, and 4.3.x does not take the page_alloc_lock and grant_table.lock in the same order, which allows local guest administrators with access to multiple vcpus to cause a denial of service (host deadlock) via unspecified vectors. CVSS v2 BASE SCORE: 5.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4494 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-4551 CVE STATUS: Patched CVE SUMMARY: Xen 4.2.x and 4.3.x, when nested virtualization is disabled, does not properly check the emulation paths for (1) VMLAUNCH and (2) VMRESUME, which allows local HVM guest users to cause a denial of service (host crash) via unspecified vectors related to "guest VMX instruction execution." CVSS v2 BASE SCORE: 5.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4551 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-4553 CVE STATUS: Patched CVE SUMMARY: The XEN_DOMCTL_getmemlist hypercall in Xen 3.4.x through 4.3.x (possibly 4.3.1) does not always obtain the page_alloc_lock and mm_rwlock in the same order, which allows local guest administrators to cause a denial of service (host deadlock). CVSS v2 BASE SCORE: 5.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4553 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-4554 CVE STATUS: Patched CVE SUMMARY: Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges via a crafted application running in ring 1 or 2. CVSS v2 BASE SCORE: 5.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4554 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-6375 CVE STATUS: Patched CVE SUMMARY: Xen 4.2.x and 4.3.x, when using Intel VT-d for PCI passthrough, does not properly flush the TLB after clearing a present translation table entry, which allows local guest administrators to cause a denial of service or gain privileges via unspecified vectors related to an "inverted boolean parameter." CVSS v2 BASE SCORE: 7.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6375 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2013-6400 CVE STATUS: Patched CVE SUMMARY: Xen 4.2.x and 4.3.x, when using Intel VT-d and a PCI device has been assigned, does not clear the flag that suppresses IOMMU TLB flushes when unspecified errors occur, which causes the TLB entries to not be flushed and allows local guest administrators to cause a denial of service (host crash) or gain privileges via unspecified vectors. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:H/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6400 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-1642 CVE STATUS: Patched CVE SUMMARY: The IRQ setup in Xen 4.2.x and 4.3.x, when using device passthrough and configured to support a large number of CPUs, frees certain memory that may still be intended for use, which allows local guest administrators to cause a denial of service (memory corruption and hypervisor crash) and possibly execute arbitrary code via vectors related to an out-of-memory error that triggers a (1) use-after-free or (2) double free. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1642 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-1666 CVE STATUS: Patched CVE SUMMARY: The do_physdev_op function in Xen 4.1.5, 4.1.6.1, 4.2.2 through 4.2.3, and 4.3.x does not properly restrict access to the (1) PHYSDEVOP_prepare_msix and (2) PHYSDEVOP_release_msix operations, which allows local PV guests to cause a denial of service (host or guest malfunction) or possibly gain privileges via unspecified vectors. CVSS v2 BASE SCORE: 8.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1666 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-1891 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the (1) FLASK_GETBOOL, (2) FLASK_SETBOOL, (3) FLASK_USER, and (4) FLASK_CONTEXT_TO_SID suboperations in the flask hypercall in Xen 4.3.x, 4.2.x, 4.1.x, 3.2.x, and earlier, when XSM is enabled, allow local users to cause a denial of service (processor fault) via unspecified vectors, a different vulnerability than CVE-2014-1892, CVE-2014-1893, and CVE-2014-1894. CVSS v2 BASE SCORE: 5.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1891 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-1892 CVE STATUS: Patched CVE SUMMARY: Xen 3.3 through 4.1, when XSM is enabled, allows local users to cause a denial of service via vectors related to a "large memory allocation," a different vulnerability than CVE-2014-1891, CVE-2014-1893, and CVE-2014-1894. CVSS v2 BASE SCORE: 5.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1892 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-1893 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the (1) FLASK_GETBOOL and (2) FLASK_SETBOOL suboperations in the flask hypercall in Xen 4.1.x, 3.3.x, 3.2.x, and earlier, when XSM is enabled, allow local users to cause a denial of service (processor fault) via unspecified vectors, a different vulnerability than CVE-2014-1891, CVE-2014-1892, and CVE-2014-1894. CVSS v2 BASE SCORE: 5.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1893 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-1894 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in unspecified suboperations in the flask hypercall in Xen 3.2.x and earlier, when XSM is enabled, allow local users to cause a denial of service (processor fault) via unspecified vectors, a different vulnerability than CVE-2014-1891, CVE-2014-1892, and CVE-2014-1893. CVSS v2 BASE SCORE: 5.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1894 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-1895 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the flask_security_avc_cachestats function in xsm/flask/flask_op.c in Xen 4.2.x and 4.3.x, when the maximum number of physical CPUs are in use, allows local users to cause a denial of service (host crash) or obtain sensitive information from hypervisor memory by leveraging a FLASK_AVC_CACHESTAT hypercall, which triggers a buffer over-read. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:P/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1895 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-1896 CVE STATUS: Patched CVE SUMMARY: The (1) do_send and (2) do_recv functions in io.c in libvchan in Xen 4.2.x, 4.3.x, and 4.4-RC series allows local guests to cause a denial of service or possibly gain privileges via crafted xenstore ring indexes, which triggers a "read or write past the end of the ring." CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1896 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-1950 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the xc_cpupool_getinfo function in Xen 4.1.x through 4.3.x, when using a multithreaded toolstack, does not properly handle a failure by the xc_cpumap_alloc function, which allows local users with access to management functions to cause a denial of service (heap corruption) and possibly gain privileges via unspecified vectors. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1950 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-2580 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: Linux netback; fix lives in the Linux kernel CVE SUMMARY: The netback driver in Xen, when using certain Linux versions that do not allow sleeping in softirq context, allows local guest administrators to cause a denial of service ("scheduling while atomic" error and host crash) via a malformed packet, which causes a mutex to be taken when trying to disable the interface. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2580 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-2599 CVE STATUS: Patched CVE SUMMARY: The HVMOP_set_mem_access HVM control operations in Xen 4.1.x for 32-bit and 4.1.x through 4.4.x for 64-bit allow local guest administrators to cause a denial of service (CPU consumption) by leveraging access to certain service domains for HVM guests and a large input. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2599 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-2915 CVE STATUS: Patched CVE SUMMARY: Xen 4.4.x, when running on ARM systems, does not properly restrict access to hardware features, which allows local guest users to cause a denial of service (host or guest crash) via unspecified vectors, related to (1) cache control, (2) coprocessors, (3) debug registers, and (4) other unspecified registers. CVSS v2 BASE SCORE: 5.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2915 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-2986 CVE STATUS: Patched CVE SUMMARY: The vgic_distr_mmio_write function in the virtual guest interrupt controller (GIC) distributor (arch/arm/vgic.c) in Xen 4.4.x, when running on an ARM system, allows local guest users to cause a denial of service (NULL pointer dereference and host crash) via unspecified vectors. CVSS v2 BASE SCORE: 5.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2986 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-3124 CVE STATUS: Patched CVE SUMMARY: The HVMOP_set_mem_type control in Xen 4.1 through 4.4.x allows local guest HVM administrators to cause a denial of service (hypervisor crash) or possibly execute arbitrary code by leveraging a separate qemu-dm vulnerability to trigger invalid page table translations for unspecified memory page types. CVSS v2 BASE SCORE: 6.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:P/I:P/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3124 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-3125 CVE STATUS: Patched CVE SUMMARY: Xen 4.4.x, when running on an ARM system, does not properly context switch the CNTKCTL_EL1 register, which allows local guest users to modify the hardware timers and cause a denial of service (crash) via unspecified vectors. CVSS v2 BASE SCORE: 6.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:P/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3125 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-3672 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: QEMU unrestricted logging; QEMU side N/A (libxl companion 15bbbecad5a6 present) CVE SUMMARY: The qemu implementation in libvirt before 1.3.0 and Xen allows local guest OS users to cause a denial of service (host disk consumption) by writing to stdout or stderr. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3672 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-3714 CVE STATUS: Patched CVE SUMMARY: The ARM image loading functionality in Xen 4.4.x does not properly validate kernel length, which allows local users to read system memory or cause a denial of service (crash) via a crafted 32-bit ARM guest kernel in an image, which triggers a buffer overflow. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3714 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-3715 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in Xen 4.4.x allows local users to read system memory or cause a denial of service (crash) via a crafted 32-bit guest kernel, related to searching for an appended DTB. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3715 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-3716 CVE STATUS: Patched CVE SUMMARY: Xen 4.4.x does not properly check alignment, which allows local users to cause a denial of service (crash) via an unspecified field in a DTB header in a 32-bit guest kernel. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3716 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-3717 CVE STATUS: Patched CVE SUMMARY: Xen 4.4.x does not properly validate the load address for 64-bit ARM guest kernels, which allows local users to read system memory or cause a denial of service (crash) via a crafted kernel, which triggers a buffer overflow. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3717 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-3967 CVE STATUS: Patched CVE SUMMARY: The HVMOP_inject_msi function in Xen 4.2.x, 4.3.x, and 4.4.x does not properly check the return value from the IRQ setup check, which allows local HVM guest administrators to cause a denial of service (NULL pointer dereference and crash) via unspecified vectors. CVSS v2 BASE SCORE: 5.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3967 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-3968 CVE STATUS: Patched CVE SUMMARY: The HVMOP_inject_msi function in Xen 4.2.x, 4.3.x, and 4.4.x allows local guest HVM administrators to cause a denial of service (host crash) via a large number of crafted requests, which trigger an error messages to be logged. CVSS v2 BASE SCORE: 5.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3968 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-3969 CVE STATUS: Patched CVE SUMMARY: Xen 4.4.x, when running on an ARM system, does not properly check write permissions on virtual addresses, which allows local guest administrators to gain privileges via unspecified vectors. CVSS v2 BASE SCORE: 7.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3969 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-4021 CVE STATUS: Patched CVE SUMMARY: Xen 3.2.x through 4.4.x does not properly clean memory pages recovered from guests, which allows local guest OS users to obtain sensitive information via unspecified vectors. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4021 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-4022 CVE STATUS: Patched CVE SUMMARY: The alloc_domain_struct function in arch/arm/domain.c in Xen 4.4.x, when running on an ARM platform, does not properly initialize the structure containing the grant table pages for a domain, which allows local guest administrators to obtain sensitive information via the GNTTABOP_setup_table subhypercall. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4022 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-5146 CVE STATUS: Patched CVE SUMMARY: Certain MMU virtualization operations in Xen 4.2.x through 4.4.x before the xsa97-hap patch, when using Hardware Assisted Paging (HAP), are not preemptible, which allows local HVM guest to cause a denial of service (vcpu consumption) by invoking these operations, which process every page assigned to a guest, a different vulnerability than CVE-2014-5149. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5146 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-5147 CVE STATUS: Patched CVE SUMMARY: Xen 4.4.x, when running a 64-bit kernel on an ARM system, does not properly handle traps from the guest domain that use a different address width, which allows local guest users to cause a denial of service (host crash) via a crafted 32-bit process. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:H/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5147 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-5148 CVE STATUS: Patched CVE SUMMARY: Xen 4.4.x, when running on an ARM system and "handling an unknown system register access from 64-bit userspace," returns to an instruction of the trap handler for kernel space faults instead of an instruction that is associated with faults in 64-bit userspace, which allows local guest users to cause a denial of service (crash) and possibly gain privileges via a crafted process. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5148 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-5149 CVE STATUS: Patched CVE SUMMARY: Certain MMU virtualization operations in Xen 4.2.x through 4.4.x, when using shadow pagetables, are not preemptible, which allows local HVM guest to cause a denial of service (vcpu consumption) by invoking these operations, which process every page assigned to a guest, a different vulnerability than CVE-2014-5146. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5149 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-6268 CVE STATUS: Patched CVE SUMMARY: The evtchn_fifo_set_pending function in Xen 4.4.x allows local guest users to cause a denial of service (host crash) via vectors involving an uninitialized FIFO-based event channel control block when (1) binding or (2) moving an event to a different VCPU. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6268 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-7154 CVE STATUS: Patched CVE SUMMARY: Race condition in HVMOP_track_dirty_vram in Xen 4.0.0 through 4.4.x does not ensure possession of the guarding lock for dirty video RAM tracking, which allows certain local guest domains to cause a denial of service via unspecified vectors. CVSS v2 BASE SCORE: 6.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7154 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-7155 CVE STATUS: Patched CVE SUMMARY: The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 4.4.x and earlier does not properly check supervisor mode permissions, which allows local HVM users to cause a denial of service (guest crash) or gain guest kernel mode privileges via vectors involving an (1) HLT, (2) LGDT, (3) LIDT, or (4) LMSW instruction. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7155 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-7156 CVE STATUS: Patched CVE SUMMARY: The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 3.3.x through 4.4.x does not check the supervisor mode permissions for instructions that generate software interrupts, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7156 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-7188 CVE STATUS: Patched CVE SUMMARY: The hvm_msr_read_intercept function in arch/x86/hvm/hvm.c in Xen 4.1 through 4.4.x uses an improper MSR range for x2APIC emulation, which allows local HVM guests to cause a denial of service (host crash) or read data from the hypervisor or other guests via unspecified vectors. CVSS v2 BASE SCORE: 8.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7188 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-8594 CVE STATUS: Patched CVE SUMMARY: The do_mmu_update function in arch/x86/mm.c in Xen 4.x through 4.4.x does not properly restrict updates to only PV page tables, which allows remote PV guests to cause a denial of service (NULL pointer dereference) by leveraging hardware emulation services for HVM guests using Hardware Assisted Paging (HAP). CVSS v2 BASE SCORE: 5.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8594 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-8595 CVE STATUS: Patched CVE SUMMARY: arch/x86/x86_emulate/x86_emulate.c in Xen 3.2.1 through 4.4.x does not properly check privileges, which allows local HVM guest users to gain privileges or cause a denial of service (crash) via a crafted (1) CALL, (2) JMP, (3) RETF, (4) LCALL, (5) LJMP, or (6) LRET far branch instruction. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8595 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-8866 CVE STATUS: Patched CVE SUMMARY: The compatibility mode hypercall argument translation in Xen 3.3.x through 4.4.x, when running on a 64-bit hypervisor, allows local 32-bit HVM guests to cause a denial of service (host crash) via vectors involving altering the high halves of registers while in 64-bit mode. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8866 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-8867 CVE STATUS: Patched CVE SUMMARY: The acceleration support for the "REP MOVS" instruction in Xen 4.4.x, 3.2.x, and earlier lacks properly bounds checking for memory mapped I/O (MMIO) emulated in the hypervisor, which allows local HVM guests to cause a denial of service (host crash) via unspecified vectors. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8867 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-9030 CVE STATUS: Patched CVE SUMMARY: The do_mmu_update function in arch/x86/mm.c in Xen 3.2.x through 4.4.x does not properly manage page references, which allows remote domains to cause a denial of service by leveraging control over an HVM guest and a crafted MMU_MACHPHYS_UPDATE. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9030 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-9065 CVE STATUS: Patched CVE SUMMARY: common/spinlock.c in Xen 4.4.x and earlier does not properly handle read and write locks, which allows local x86 guest users to cause a denial of service (write denial or NMI watchdog timeout and host crash) via a large number of read requests, a different vulnerability to CVE-2014-9066. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9065 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2014-9066 CVE STATUS: Patched CVE SUMMARY: Xen 4.4.x and earlier, when using a large number of VCPUs, does not properly handle read and write locks, which allows local x86 guest users to cause a denial of service (write denial or NMI watchdog timeout and host crash) via a large number of read requests, a different vulnerability than CVE-2014-9065. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9066 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-0268 CVE STATUS: Patched CVE SUMMARY: The vgic_v2_to_sgi function in arch/arm/vgic-v2.c in Xen 4.5.x, when running on ARM hardware with general interrupt controller (GIC) version 2, allows local guest users to cause a denial of service (host crash) by writing an invalid value to the GICD.SGIR register. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0268 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-0361 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in Xen 4.2.x, 4.3.x, and 4.4.x allows remote domains to cause a denial of service (system crash) via a crafted hypercall during HVM guest teardown. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0361 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-0777 CVE STATUS: Patched CVE SUMMARY: drivers/xen/usbback/usbback.c in linux-2.6.18-xen-3.4.0 (aka the Xen 3.4.x support patches for the Linux kernel 2.6.18), as used in the Linux kernel 2.6.x and 3.x in SUSE Linux distributions, allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory via unspecified vectors. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0777 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-1563 CVE STATUS: Patched CVE SUMMARY: The ARM GIC distributor virtualization in Xen 4.4.x and 4.5.x allows local guests to cause a denial of service by causing a large number messages to be logged. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1563 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-2044 CVE STATUS: Patched CVE SUMMARY: The emulation routines for unspecified X86 devices in Xen 3.2.x through 4.5.x does not properly initialize data, which allow local HVM guest users to obtain sensitive information via vectors involving an unsupported access size. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2044 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-2045 CVE STATUS: Patched CVE SUMMARY: The HYPERVISOR_xen_version hypercall in Xen 3.2.x through 4.5.x does not properly initialize data structures, which allows local guest users to obtain sensitive information via unspecified vectors. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2045 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-2150 CVE STATUS: Patched CVE SUMMARY: Xen 3.3.x through 4.5.x and the Linux kernel through 3.19.1 do not properly restrict access to PCI command registers, which might allow local guest OS users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2150 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-2151 CVE STATUS: Patched CVE SUMMARY: The x86 emulator in Xen 3.2.x through 4.5.x does not properly ignore segment overrides for instructions with register operands, which allows local guest users to obtain sensitive information, cause a denial of service (memory corruption), or possibly execute arbitrary code via unspecified vectors. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2151 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-2152 CVE STATUS: Patched CVE SUMMARY: Xen 4.5.x and earlier enables certain default backends when emulating a VGA device for an x86 HVM guest qemu even when the configuration disables them, which allows local guest users to obtain access to the VGA console by (1) setting the DISPLAY environment variable, when compiled with SDL support, or connecting to the VNC server on (2) ::1 or (3) 127.0.0.1, when not compiled with SDL support. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2152 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-2751 CVE STATUS: Patched CVE SUMMARY: Xen 4.3.x, 4.4.x, and 4.5.x, when using toolstack disaggregation, allows remote domains with partial management control to cause a denial of service (host lock) via unspecified domctl operations. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2751 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-2752 CVE STATUS: Patched CVE SUMMARY: The XEN_DOMCTL_memory_mapping hypercall in Xen 3.2.x through 4.5.x, when using a PCI passthrough device, is not preemptible, which allows local x86 HVM domain users to cause a denial of service (host CPU consumption) via a crafted request to the device model (qemu-dm). CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2752 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-2756 CVE STATUS: Patched CVE SUMMARY: QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access to PCI command registers, which might allow local HVM guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2756 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-3259 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the xl command line utility in Xen 4.1.x through 4.5.x allows local guest administrators to gain privileges via a long configuration argument. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3259 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-3340 CVE STATUS: Patched CVE SUMMARY: Xen 4.2.x through 4.5.x does not initialize certain fields, which allows certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3340 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-3456 CVE STATUS: Patched CVE SUMMARY: The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM. CVSS v2 BASE SCORE: 7.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3456 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-4103 CVE STATUS: Patched CVE SUMMARY: Xen 3.3.x through 4.5.x does not properly restrict write access to the host MSI message data field, which allows local x86 HVM guest administrators to cause a denial of service (host interrupt handling confusion) via vectors related to qemu and accessing spanning multiple fields. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4103 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-4104 CVE STATUS: Patched CVE SUMMARY: Xen 3.3.x through 4.5.x does not properly restrict access to PCI MSI mask bits, which allows local x86 HVM guest users to cause a denial of service (unexpected interrupt and host crash) via unspecified vectors. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4104 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-4105 CVE STATUS: Patched CVE SUMMARY: Xen 3.3.x through 4.5.x enables logging for PCI MSI-X pass-through error messages, which allows local x86 HVM guests to cause a denial of service (host disk consumption) via certain invalid operations. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4105 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-4163 CVE STATUS: Patched CVE SUMMARY: GNTTABOP_swap_grant_ref in Xen 4.2 through 4.5 does not check the grant table operation version, which allows local guest domains to cause a denial of service (NULL pointer dereference) via a hypercall without a GNTTABOP_setup_table or GNTTABOP_set_version. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4163 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-4164 CVE STATUS: Patched CVE SUMMARY: The compat_iret function in Xen 3.1 through 4.5 iterates the wrong way through a loop, which allows local 32-bit PV guest administrators to cause a denial of service (large loop and system hang) via a hypercall_iret call with EFLAGS.VM set. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4164 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-5154 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5154 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-5165 CVE STATUS: Patched CVE SUMMARY: The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5165 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-5166 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in QEMU in Xen 4.5.x and earlier does not completely unplug emulated block devices, which allows local HVM guest users to gain privileges by unplugging a block device twice. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5166 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-5307 CVE STATUS: Patched CVE SUMMARY: The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5307 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-6654 CVE STATUS: Patched CVE SUMMARY: The xenmem_add_to_physmap_one function in arch/arm/mm.c in Xen 4.5.x, 4.4.x, and earlier does not limit the number of printk console messages when reporting a failure to retrieve a reference on a foreign page, which allows remote domains to cause a denial of service by leveraging permissions to map the memory of a foreign guest. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6654 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-6815 CVE STATUS: Patched CVE SUMMARY: The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 3.5 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6815 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-7311 CVE STATUS: Patched CVE SUMMARY: libxl in Xen 4.1.x through 4.6.x does not properly handle the readonly flag on disks when using the qemu-xen device model, which allows local guest users to write to a read-only disk image. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7311 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-7504 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: QEMU pcnet emulator heap overflow; QEMU not built by this recipe CVE SUMMARY: Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7504 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-7812 CVE STATUS: Patched CVE SUMMARY: The hypercall_create_continuation function in arch/arm/domain.c in Xen 4.4.x through 4.6.x allows local guest users to cause a denial of service (host crash) via a preemptible hypercall to the multicall interface. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7812 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-7813 CVE STATUS: Patched CVE SUMMARY: Xen 4.4.x, 4.5.x, and 4.6.x does not limit the number of printk console messages when reporting unimplemented hypercalls, which allows local guests to cause a denial of service via a sequence of (1) HYPERVISOR_physdev_op hypercalls, which are not properly handled in the do_physdev_op function in arch/arm/physdev.c, or (2) HYPERVISOR_hvm_op hypercalls, which are not properly handled in the do_hvm_op function in arch/arm/hvm.c. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7813 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-7814 CVE STATUS: Patched CVE SUMMARY: Race condition in the relinquish_memory function in arch/arm/domain.c in Xen 4.6.x and earlier allows local domains with partial management control to cause a denial of service (host crash) via vectors involving the destruction of a domain and using XENMEM_decrease_reservation to reduce the memory of the domain. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7814 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-7835 CVE STATUS: Patched CVE SUMMARY: The mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x does not properly validate level 2 page table entries, which allows local PV guest administrators to gain privileges via a crafted superpage mapping. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7835 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-7969 CVE STATUS: Patched CVE SUMMARY: Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest administrators or domains with certain permission to cause a denial of service (memory consumption) via a large number of "teardowns" of domains with the vcpu pointer array allocated using the (1) XEN_DOMCTL_max_vcpus hypercall or the xenoprofile state vcpu pointer array allocated using the (2) XENOPROF_get_buffer or (3) XENOPROF_set_passive hypercall. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7969 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-7970 CVE STATUS: Patched CVE SUMMARY: The p2m_pod_emergency_sweep function in arch/x86/mm/p2m-pod.c in Xen 3.4.x, 3.5.x, and 3.6.x is not preemptible, which allows local x86 HVM guest administrators to cause a denial of service (CPU consumption and possibly reboot) via crafted memory contents that triggers a "time-consuming linear scan," related to Populate-on-Demand. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7970 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-7971 CVE STATUS: Patched CVE SUMMARY: Xen 3.2.x through 4.6.x does not limit the number of printk console messages when logging certain pmu and profiling hypercalls, which allows local guests to cause a denial of service via a sequence of crafted (1) HYPERCALL_xenoprof_op hypercalls, which are not properly handled in the do_xenoprof_op function in common/xenoprof.c, or (2) HYPERVISOR_xenpmu_op hypercalls, which are not properly handled in the do_xenpmu_op function in arch/x86/cpu/vpmu.c. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7971 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-7972 CVE STATUS: Patched CVE SUMMARY: The (1) libxl_set_memory_target function in tools/libxl/libxl.c and (2) libxl__build_post function in tools/libxl/libxl_dom.c in Xen 3.4.x through 4.6.x do not properly calculate the balloon size when using the populate-on-demand (PoD) system, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors related to "heavy memory pressure." CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7972 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-8104 CVE STATUS: Patched CVE SUMMARY: The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 10.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8104 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-8338 CVE STATUS: Patched CVE SUMMARY: Xen 4.6.x and earlier does not properly enforce limits on page order inputs for the (1) XENMEM_increase_reservation, (2) XENMEM_populate_physmap, (3) XENMEM_exchange, and possibly other HYPERVISOR_memory_op suboperations, which allows ARM guest OS administrators to cause a denial of service (CPU consumption, guest reboot, or watchdog timeout and host reboot) and possibly have unspecified other impact via unknown vectors. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8338 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-8339 CVE STATUS: Patched CVE SUMMARY: The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly hand back pages to a domain, which might allow guest OS administrators to cause a denial of service (host crash) via unspecified vectors related to domain teardown. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8339 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-8340 CVE STATUS: Patched CVE SUMMARY: The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly release locks, which might allow guest OS administrators to cause a denial of service (deadlock or host crash) via unspecified vectors, related to XENMEM_exchange error handling. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8340 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-8341 CVE STATUS: Patched CVE SUMMARY: The libxl toolstack library in Xen 4.1.x through 4.6.x does not properly release mappings of files used as kernels and initial ramdisks when managing multiple domains in the same process, which allows attackers to cause a denial of service (memory and disk consumption) by starting domains. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8341 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-8550 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: PV driver double-fetch; fix is in Linux/QEMU front/back-ends CVE SUMMARY: Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (host OS crash) or gain privileges by writing to memory shared between the frontend and backend, aka a double fetch vulnerability. CVSS v2 BASE SCORE: 5.7 CVSS v3 BASE SCORE: 8.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:P/I:P/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8550 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-8552 CVE STATUS: Patched CVE SUMMARY: The PCI backend driver in Xen, when running on an x86 system and using Linux 3.1.x through 4.3.x as the driver domain, allows local guest administrators to generate a continuous stream of WARN messages and cause a denial of service (disk consumption) by leveraging a system with access to a passed-through MSI or MSI-X capable physical PCI device and XEN_PCI_OP_enable_msi operations, aka "Linux pciback missing sanity checks." CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8552 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-8553 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: Linux PV guest NMI handling (XSA-7 follow-up) CVE SUMMARY: Xen allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory by not enabling memory and I/O decoding control bits. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0777. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8553 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-8554 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in hw/pt-msi.c in Xen 4.6.x and earlier, when using the qemu-xen-traditional (aka qemu-dm) device model, allows local x86 HVM guest administrators to gain privileges by leveraging a system with access to a passed-through MSI-X capable physical PCI device and MSI-X table entries, related to a "write path." CVSS v2 BASE SCORE: 6.6 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8554 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-8555 CVE STATUS: Patched CVE SUMMARY: Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and XMM registers when XSAVE/XRSTOR are not used to manage guest extended register state, which allows local guest domains to obtain sensitive information from other domains via unspecified vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8555 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2015-8615 CVE STATUS: Patched CVE SUMMARY: The hvm_set_callback_via function in arch/x86/hvm/irq.c in Xen 4.6 does not limit the number of printk console messages when logging the new callback method, which allows local HVM guest OS users to cause a denial of service via a large number of changes to the callback method (HVM_PARAM_CALLBACK_IRQ). CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8615 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-10013 CVE STATUS: Patched CVE SUMMARY: Xen through 4.8.x allows local 64-bit x86 HVM guest OS users to gain privileges by leveraging mishandling of SYSCALL singlestep during emulation. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10013 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-10024 CVE STATUS: Patched CVE SUMMARY: Xen through 4.8.x allows local x86 PV guest OS kernel administrators to cause a denial of service (host hang or crash) by modifying the instruction stream asynchronously while performing certain kernel operations. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10024 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-10025 CVE STATUS: Patched CVE SUMMARY: VMFUNC emulation in Xen 4.6.x through 4.8.x on x86 systems using AMD virtualization extensions (aka SVM) allows local HVM guest OS users to cause a denial of service (hypervisor crash) by leveraging a missing NULL pointer check. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10025 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-1570 CVE STATUS: Patched CVE SUMMARY: The PV superpage functionality in arch/x86/mm.c in Xen 3.4.0, 3.4.1, and 4.1.x through 4.6.x allows local PV guests to obtain sensitive information, cause a denial of service, gain privileges, or have unspecified other impact via a crafted page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to page table updates. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 8.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1570 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-1571 CVE STATUS: Patched CVE SUMMARY: The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x through 4.6.x, when using shadow mode paging or nested virtualization is enabled, allows local HVM guest users to cause a denial of service (host crash) via a non-canonical guest address in an INVVPID instruction, which triggers a hypervisor bug check. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1571 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-2270 CVE STATUS: Patched CVE SUMMARY: Xen 4.6.x and earlier allows local guest administrators to cause a denial of service (host reboot) via vectors related to multiple mappings of MMIO pages with different cachability settings. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2270 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-2271 CVE STATUS: Patched CVE SUMMARY: VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2271 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-3157 CVE STATUS: Patched CVE SUMMARY: The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel does not properly context-switch IOPL on 64-bit PV Xen guests, which allows local guest OS users to gain privileges, cause a denial of service (guest OS crash), or obtain sensitive information by leveraging I/O port access. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3157 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-3158 CVE STATUS: Patched CVE SUMMARY: The xrstor function in arch/x86/xstate.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2076. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3158 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-3159 CVE STATUS: Patched CVE SUMMARY: The fpu_fxrstor function in arch/x86/i387.c in Xen 4.x does not properly handle writes to the hardware FSW.ES bit when running on AMD64 processors, which allows local guest OS users to obtain sensitive register content information from another guest by leveraging pending exception and mask bits. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2076. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3159 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-3960 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-173 shadow pagetables address-width overflow CVE SUMMARY: Integer overflow in the x86 shadow pagetable code in Xen allows local guest OS users to cause a denial of service (host crash) or possibly gain privileges by shadowing a superpage mapping. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3960 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-3961 CVE STATUS: Patched CVE SUMMARY: Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs support in x86 PV guests, which allows local PV guest OS users to cause a denial of service (guest OS crash) by attempting to access a hugetlbfs mapped area. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3961 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-4480 CVE STATUS: Patched CVE SUMMARY: The guest_walk_tables function in arch/x86/mm/guest_walk.c in Xen 4.6.x and earlier does not properly handle the Page Size (PS) page table entry bit at the L4 and L3 page table levels, which might allow local guest OS users to gain privileges via a crafted mapping of memory. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4480 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-4962 CVE STATUS: Patched CVE SUMMARY: The libxl device-handling in Xen 4.6.x and earlier allows local OS guest administrators to cause a denial of service (resource consumption or management facility confusion) or gain host OS privileges by manipulating information in guest controlled areas of xenstore. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4962 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-4963 CVE STATUS: Patched CVE SUMMARY: The libxl device-handling in Xen through 4.6.x allows local guest OS users with access to the driver domain to cause a denial of service (management tool confusion) by manipulating information in the backend directories in xenstore. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4963 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-5242 CVE STATUS: Patched CVE SUMMARY: The p2m_teardown function in arch/arm/p2m.c in Xen 4.4.x through 4.6.x allows local guest OS users with access to the driver domain to cause a denial of service (NULL pointer dereference and host OS crash) by creating concurrent domains and holding references to them, related to VMID exhaustion. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5242 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-6258 CVE STATUS: Patched CVE SUMMARY: The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6258 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-6259 CVE STATUS: Patched CVE SUMMARY: Xen 4.5.x through 4.7.x do not implement Supervisor Mode Access Prevention (SMAP) whitelisting in 32-bit exception and event delivery, which allows local 32-bit PV guest OS kernels to cause a denial of service (hypervisor and VM crash) by triggering a safety check. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6259 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-7092 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-185 32-bit L3 recursive PT CVE SUMMARY: The get_page_from_l3e function in arch/x86/mm.c in Xen allows local 32-bit PV guest OS administrators to gain host OS privileges via vectors related to L3 recursive pagetables. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7092 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-7093 CVE STATUS: Patched CVE SUMMARY: Xen 4.5.3, 4.6.3, and 4.7.x allow local HVM guest OS administrators to overwrite hypervisor memory and consequently gain host OS privileges by leveraging mishandling of instruction pointer truncation during emulation. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7093 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-7094 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in Xen 4.7.x and earlier allows local x86 HVM guest OS administrators on guests running with shadow paging to cause a denial of service via a pagetable update. CVSS v2 BASE SCORE: 1.5 CVSS v3 BASE SCORE: 4.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7094 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-7154 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the FIFO event channel code in Xen 4.4.x allows local guest OS administrators to cause a denial of service (host crash) and possibly execute arbitrary code or obtain sensitive information via an invalid guest frame number. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7154 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-7777 CVE STATUS: Patched CVE SUMMARY: Xen 4.7.x and earlier does not properly honor CR0.TS and CR0.EM, which allows local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7777 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-9377 CVE STATUS: Patched CVE SUMMARY: Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating instructions that generate software interrupts, allows local HVM guest OS users to cause a denial of service (guest crash) by leveraging IDT entry miscalculation. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9377 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-9378 CVE STATUS: Patched CVE SUMMARY: Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating instructions that generate software interrupts, allows local HVM guest OS users to cause a denial of service (guest crash) by leveraging an incorrect choice for software interrupt delivery. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9378 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-9379 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-198 pygrub S-expression delimiter injection CVE SUMMARY: The pygrub boot loader emulator in Xen, when S-expression output format is requested, allows local pygrub-using guest OS administrators to read or delete arbitrary files on the host via string quotes and S-expressions in the bootloader configuration file. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9379 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-9380 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-198 pygrub CVE SUMMARY: The pygrub boot loader emulator in Xen, when nul-delimited output format is requested, allows local pygrub-using guest OS administrators to read or delete arbitrary files on the host via NUL bytes in the bootloader configuration file. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9380 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-9382 CVE STATUS: Patched CVE SUMMARY: Xen 4.0.x through 4.7.x mishandle x86 task switches to VM86 mode, which allows local 32-bit x86 HVM guest OS users to gain privileges or cause a denial of service (guest OS crash) by leveraging a guest operating system that uses hardware task switching and allows a new task to start in VM86 mode. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9382 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-9383 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-195 instruction-emulator BT CVE SUMMARY: Xen, when running on a 64-bit hypervisor, allows local x86 guest OS users to modify arbitrary memory and consequently obtain sensitive information, cause a denial of service (host crash), or execute arbitrary code on the host by leveraging broken emulation of bit test instructions. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9383 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-9384 CVE STATUS: Patched CVE SUMMARY: Xen 4.7 allows local guest OS users to obtain sensitive host information by loading a 32-bit ELF symbol table. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9384 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-9385 CVE STATUS: Patched CVE SUMMARY: The x86 segment base write emulation functionality in Xen 4.4.x through 4.7.x allows local x86 PV guest OS administrators to cause a denial of service (host crash) by leveraging lack of canonical address checks. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9385 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-9386 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-191 null segment usability CVE SUMMARY: The x86 emulator in Xen does not properly treat x86 NULL segments as unusable when accessing memory, which might allow local HVM guest users to gain privileges via vectors involving "unexpected" base/limit values. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9386 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-9815 CVE STATUS: Patched CVE SUMMARY: Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host panic) by sending an asynchronous abort. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9815 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-9816 CVE STATUS: Patched CVE SUMMARY: Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving an asynchronous abort while at EL2. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9816 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-9817 CVE STATUS: Patched CVE SUMMARY: Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving a (1) data or (2) prefetch abort with the ESR_EL2.EA bit set. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9817 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-9818 CVE STATUS: Patched CVE SUMMARY: Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving an asynchronous abort while at HYP. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9818 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2016-9932 CVE STATUS: Patched CVE SUMMARY: CMPXCHG8B emulation in Xen 3.3.x through 4.7.x on x86 systems allows local HVM guest OS users to obtain sensitive information from host stack memory via a "supposedly-ignored" operand size prefix. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9932 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-10912 CVE STATUS: Patched CVE SUMMARY: Xen through 4.8.x mishandles page transfer, which allows guest OS users to obtain privileged host OS access, aka XSA-217. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 10.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10912 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-10913 CVE STATUS: Patched CVE SUMMARY: The grant-table feature in Xen through 4.8.x provides false mapping information in certain cases of concurrent unmap calls, which allows backend attackers to obtain sensitive information or gain privileges, aka XSA-218 bug 1. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10913 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-10914 CVE STATUS: Patched CVE SUMMARY: The grant-table feature in Xen through 4.8.x has a race condition leading to a double free, which allows guest OS users to cause a denial of service (memory consumption), or possibly obtain sensitive information or gain privileges, aka XSA-218 bug 2. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10914 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-10915 CVE STATUS: Patched CVE SUMMARY: The shadow-paging feature in Xen through 4.8.x mismanages page references and consequently introduces a race condition, which allows guest OS users to obtain Xen privileges, aka XSA-219. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 9.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10915 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-10916 CVE STATUS: Patched CVE SUMMARY: The vCPU context-switch implementation in Xen through 4.8.x improperly interacts with the Memory Protection Extensions (MPX) and Protection Key (PKU) features, which makes it easier for guest OS users to defeat ASLR and other protection mechanisms, aka XSA-220. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10916 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-10917 CVE STATUS: Patched CVE SUMMARY: Xen through 4.8.x does not validate the port numbers of polled event channel ports, which allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) or possibly obtain sensitive information, aka XSA-221. CVSS v2 BASE SCORE: 9.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10917 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-10918 CVE STATUS: Patched CVE SUMMARY: Xen through 4.8.x does not validate memory allocations during certain P2M operations, which allows guest OS users to obtain privileged host OS access, aka XSA-222. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 10.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10918 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-10919 CVE STATUS: Patched CVE SUMMARY: Xen through 4.8.x mishandles virtual interrupt injection, which allows guest OS users to cause a denial of service (hypervisor crash), aka XSA-223. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10919 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-10920 CVE STATUS: Patched CVE SUMMARY: The grant-table feature in Xen through 4.8.x mishandles a GNTMAP_device_map and GNTMAP_host_map mapping, when followed by only a GNTMAP_host_map unmapping, which allows guest OS users to cause a denial of service (count mismanagement and memory corruption) or obtain privileged host OS access, aka XSA-224 bug 1. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 10.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10920 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-10921 CVE STATUS: Patched CVE SUMMARY: The grant-table feature in Xen through 4.8.x does not ensure sufficient type counts for a GNTMAP_device_map and GNTMAP_host_map mapping, which allows guest OS users to cause a denial of service (count mismanagement and memory corruption) or obtain privileged host OS access, aka XSA-224 bug 2. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 10.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10921 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-10922 CVE STATUS: Patched CVE SUMMARY: The grant-table feature in Xen through 4.8.x mishandles MMIO region grant references, which allows guest OS users to cause a denial of service (loss of grant trackability), aka XSA-224 bug 3. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10922 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-10923 CVE STATUS: Patched CVE SUMMARY: Xen through 4.8.x does not validate a vCPU array index upon the sending of an SGI, which allows guest OS users to cause a denial of service (hypervisor crash), aka XSA-225. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10923 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-12134 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-229 Linux blkfront merge calc; fix is in Linux CVE SUMMARY: The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12134 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-12135 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-226 transitive grants CVE SUMMARY: Xen allows local OS guest users to cause a denial of service (crash) or possibly obtain sensitive information or gain privileges via vectors involving transitive grants. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12135 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-12136 CVE STATUS: Patched CVE SUMMARY: Race condition in the grant table code in Xen 4.6.x through 4.9.x allows local guest OS administrators to cause a denial of service (free list corruption and host crash) or gain privileges on the host via vectors involving maptrack free list handling. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12136 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-12137 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-227 map_grant_ref refcount CVE SUMMARY: arch/x86/mm.c in Xen allows local PV guest OS users to gain host OS privileges via vectors related to map_grant_ref. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12137 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-12855 CVE STATUS: Patched CVE SUMMARY: Xen maintains the _GTF_{read,writ}ing bits as appropriate, to inform the guest that a grant is in use. A guest is expected not to modify the grant details while it is in use, whereas the guest is free to modify/reuse the grant entry when it is not in use. Under some circumstances, Xen will clear the status bits too early, incorrectly informing the guest that the grant is no longer in use. A guest may prematurely believe that a granted frame is safely private again, and reuse it in a way which contains sensitive information, while the domain on the far end of the grant is still using the grant. Xen 4.9, 4.8, 4.7, 4.6, and 4.5 are affected. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12855 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-14316 CVE STATUS: Patched CVE SUMMARY: A parameter verification issue was discovered in Xen through 4.9.x. The function `alloc_heap_pages` allows callers to specify the first NUMA node that should be used for allocations through the `memflags` parameter; the node is extracted using the `MEMF_get_node` macro. While the function checks to see if the special constant `NUMA_NO_NODE` is specified, it otherwise does not handle the case where `node >= MAX_NUMNODES`. This allows an out-of-bounds access to an internal array. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14316 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-14317 CVE STATUS: Patched CVE SUMMARY: A domain cleanup issue was discovered in the C xenstore daemon (aka cxenstored) in Xen through 4.9.x. When shutting down a VM with a stubdomain, a race in cxenstored may cause a double-free. The xenstored daemon may crash, resulting in a DoS of any parts of the system relying on it (including domain creation / destruction, ballooning, device changes, etc.). CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14317 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-14318 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen 4.5.x through 4.9.x. The function `__gnttab_cache_flush` handles GNTTABOP_cache_flush grant table operations. It checks to see if the calling domain is the owner of the page that is to be operated on. If it is not, the owner's grant table is checked to see if a grant mapping to the calling domain exists for the page in question. However, the function does not check to see if the owning domain actually has a grant table or not. Some special domains, such as `DOMID_XEN`, `DOMID_IO` and `DOMID_COW` are created without grant tables. Hence, if __gnttab_cache_flush operates on a page owned by these special domains, it will attempt to dereference a NULL pointer in the domain struct. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14318 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-14319 CVE STATUS: Patched CVE SUMMARY: A grant unmapping issue was discovered in Xen through 4.9.x. When removing or replacing a grant mapping, the x86 PV specific path needs to make sure page table entries remain in sync with other accounting done. Although the identity of the page frame was validated correctly, neither the presence of the mapping nor page writability were taken into account. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14319 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-14431 CVE STATUS: Patched CVE SUMMARY: Memory leak in Xen 3.3 through 4.8.x allows guest OS users to cause a denial of service (ARM or x86 AMD host OS memory consumption) by continually rebooting, because certain cleanup is skipped if no pass-through device was ever assigned, aka XSA-207. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14431 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-15588 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to execute arbitrary code on the host OS because of a race condition that can cause a stale TLB entry. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15588 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-15589 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to obtain sensitive information from the host OS (or an arbitrary guest OS) because intercepted I/O operations can cause a write of data from uninitialized hypervisor stack memory. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15589 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-15590 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.9.x allowing x86 guest OS users to cause a denial of service (hypervisor crash) or possibly gain privileges because MSI mapping was mishandled. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15590 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-15591 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen 4.5.x through 4.9.x allowing attackers (who control a stub domain kernel or tool stack) to cause a denial of service (host OS crash) because of a missing comparison (of range start to range end) within the DMOP map/unmap implementation. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15591 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-15592 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to cause a denial of service (hypervisor crash) or possibly gain privileges because self-linear shadow mappings are mishandled for translated guests. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15592 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-15593 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (memory leak) because reference counts are mishandled. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15593 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-15594 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.9.x allowing x86 SVM PV guest OS users to cause a denial of service (hypervisor crash) or gain privileges because IDT settings are mishandled during CPU hotplugging. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15594 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-15595 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS users to cause a denial of service (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15595 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-15596 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen 4.4.x through 4.9.x allowing ARM guest OS users to cause a denial of service (prevent physical CPU usage) because of lock mishandling upon detection of an add-to-physmap error. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15596 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-15597 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.9.x. Grant copying code made an implication that any grant pin would be accompanied by a suitable page reference. Other portions of code, however, did not match up with that assumption. When such a grant copy operation is being done on a grant of a dying domain, the assumption turns out wrong. A malicious guest administrator can cause hypervisor memory corruption, most likely resulting in host crash and a Denial of Service. Privilege escalation and information leaks cannot be ruled out. CVSS v2 BASE SCORE: 9.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15597 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-17044 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.9.x allowing HVM guest OS users to cause a denial of service (infinite loop and host OS hang) by leveraging the mishandling of Populate on Demand (PoD) errors. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17044 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-17045 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.9.x allowing HVM guest OS users to gain privileges on the host OS, obtain sensitive information, or cause a denial of service (BUG and host OS crash) by leveraging the mishandling of Populate on Demand (PoD) Physical-to-Machine (P2M) errors. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17045 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-17046 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.9.x on the ARM platform allowing guest OS users to obtain sensitive information from DRAM after a reboot, because disjoint blocks, and physical addresses that do not start at zero, are mishandled. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17046 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-17563 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.9.x allowing guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging an incorrect mask for reference-count overflow checking in shadow mode. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17563 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-17564 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.9.x allowing guest OS users to cause a denial of service (host OS crash) or gain host OS privileges by leveraging incorrect error handling for reference counting in shadow mode. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17564 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-17565 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.9.x allowing PV guest OS users to cause a denial of service (host OS crash) if shadow mode and log-dirty mode are in place, because of an incorrect assertion related to M2P. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17565 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-17566 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.9.x allowing PV guest OS users to cause a denial of service (host OS crash) or gain host OS privileges in shadow mode by mapping a certain auxiliary page. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17566 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-2615 CVE STATUS: Patched CVE SUMMARY: Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. CVSS v2 BASE SCORE: 9.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2615 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-2620 CVE STATUS: Patched CVE SUMMARY: Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. CVSS v2 BASE SCORE: 9.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2620 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-7228 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-212 memory_exchange bound check CVE SUMMARY: An issue (known as XSA-212) was discovered in Xen, with fixes available for 4.8.x, 4.7.x, 4.6.x, 4.5.x, and 4.4.x. The earlier XSA-29 fix introduced an insufficient check on XENMEM_exchange input, allowing the caller to drive hypervisor memory accesses outside of the guest provided input/output arrays. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7228 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-7995 CVE STATUS: Patched CVE SUMMARY: Xen PV guest before Xen 4.3 checked access permissions to MMIO ranges only after accessing them, allowing host PCI device space memory reads, leading to information disclosure. This is an error in the get_user function. NOTE: the upstream Xen Project considers versions before 4.5.x to be EOL. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7995 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-8903 CVE STATUS: Patched CVE SUMMARY: Xen through 4.8.x on 64-bit platforms mishandles page tables after an IRET hypercall, which might allow PV guest OS users to execute arbitrary code on the host OS, aka XSA-213. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8903 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-8904 CVE STATUS: Patched CVE SUMMARY: Xen through 4.8.x mishandles the "contains segment descriptors" property during GNTTABOP_transfer (aka guest transfer) operations, which might allow PV guest OS users to execute arbitrary code on the host OS, aka XSA-214. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8904 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2017-8905 CVE STATUS: Patched CVE SUMMARY: Xen through 4.6.x on 64-bit platforms mishandles a failsafe callback, which might allow PV guest OS users to execute arbitrary code on the host OS, aka XSA-215. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8905 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-10471 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.10.x allowing x86 PV guest OS users to cause a denial of service (out-of-bounds zero write and hypervisor crash) via unexpected INT 80 processing, because of an incorrect fix for CVE-2017-5754. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10471 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-10472 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users (in certain configurations) to read arbitrary dom0 files via QMP live insertion of a CDROM, in conjunction with specifying the target file as the backing file of a snapshot. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10472 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-10981 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (host OS infinite loop) in situations where a QEMU device model attempts to make invalid transitions between states of a request. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10981 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-10982 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.10.x allowing x86 HVM guest OS users to cause a denial of service (unexpectedly high interrupt number, array overrun, and hypervisor crash) or possibly gain hypervisor privileges by setting up an HPET timer to deliver interrupts in IO-APIC mode, aka vHPET interrupt injection. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10982 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-12891 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.10.x. Certain PV MMU operations may take a long time to process. For that reason Xen explicitly checks for the need to preempt the current vCPU at certain points. A few rarely taken code paths did bypass such checks. By suitably enforcing the conditions through its own page table contents, a malicious guest may cause such bypasses to be used for an unbounded number of iterations. A malicious or buggy PV guest may cause a Denial of Service (DoS) affecting the entire host. Specifically, it may prevent use of a physical CPU for an indeterminate period of time. All Xen versions from 3.4 onwards are vulnerable. Xen versions 3.3 and earlier are vulnerable to an even wider class of attacks, due to them lacking preemption checks altogether in the affected code paths. Only x86 systems are affected. ARM systems are not affected. Only multi-vCPU x86 PV guests can leverage the vulnerability. x86 HVM or PVH guests as well as x86 single-vCPU PV ones cannot leverage the vulnerability. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12891 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-12892 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen 4.7 through 4.10.x. libxl fails to pass the readonly flag to qemu when setting up a SCSI disk, due to what was probably an erroneous merge conflict resolution. Malicious guest administrators or (in some situations) users may be able to write to supposedly read-only disk images. Only emulated SCSI disks (specified as "sd" in the libxl disk configuration, or an equivalent) are affected. IDE disks ("hd") are not affected (because attempts to make them readonly are rejected). Additionally, CDROM devices (that is, devices specified to be presented to the guest as CDROMs, regardless of the nature of the backing storage on the host) are not affected; they are always read only. Only systems using qemu-xen (rather than qemu-xen-traditional) as the device model version are vulnerable. Only systems using libxl or libxl-based toolstacks are vulnerable. (This includes xl, and libvirt with the libxl driver.) The vulnerability is present in Xen versions 4.7 and later. (In earlier versions, provided that the patch for XSA-142 has been applied, attempts to create read only disks are rejected.) If the host and guest together usually support PVHVM, the issue is exploitable only if the malicious guest administrator has control of the guest kernel or guest kernel command line. CVSS v2 BASE SCORE: 6.5 CVSS v3 BASE SCORE: 9.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12892 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-12893 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.10.x. One of the fixes in XSA-260 added some safety checks to help prevent Xen livelocking with debug exceptions. Unfortunately, due to an oversight, at least one of these safety checks can be triggered by a guest. A malicious PV guest can crash Xen, leading to a Denial of Service. All Xen systems which have applied the XSA-260 fix are vulnerable. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only x86 PV guests can exploit the vulnerability. x86 HVM and PVH guests cannot exploit the vulnerability. An attacker needs to be able to control hardware debugging facilities to exploit the vulnerability, but such permissions are typically available to unprivileged users. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12893 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-14678 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the Linux kernel through 4.17.11, as used in Xen through 4.11.x. The xen_failsafe_callback entry point in arch/x86/entry/entry_64.S does not properly maintain RBX, which allows local users to cause a denial of service (uninitialized memory usage and system crash). Within Xen, 64-bit x86 PV Linux guest OS users can trigger a guest OS crash or possibly gain privileges. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14678 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-15468 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.11.x. The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the core. As a result, it must only be available to fully trusted guests. Unfortunately, in the case that vPMU is disabled, all value checking was skipped, allowing the guest to choose any MSR_DEBUGCTL setting it likes. A malicious or buggy guest administrator (on Intel x86 HVM or PVH) can lock up the entire host, causing a Denial of Service. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15468 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-15469 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.11.x. ARM never properly implemented grant table v2, either in the hypervisor or in Linux. Unfortunately, an ARM guest can still request v2 grant tables; they will simply not be properly set up, resulting in subsequent grant-related hypercalls hitting BUG() checks. An unprivileged guest can cause a BUG() check in the hypervisor, resulting in a denial-of-service (crash). CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15469 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-15470 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.11.x. The logic in oxenstored for handling writes depended on the order of evaluation of expressions making up a tuple. As indicated in section 7.7.3 "Operations on data structures" of the OCaml manual, the order of evaluation of subexpressions is not specified. In practice, different implementations behave differently. Thus, oxenstored may not enforce the configured quota-maxentity. This allows a malicious or buggy guest to write as many xenstore entries as it wishes, causing unbounded memory usage in oxenstored. This can lead to a system-wide DoS. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15470 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-15471 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c in the Linux kernel through 4.18.1, as used in Xen through 4.11.x and other products. The Linux netback driver allows frontends to control mapping of requests to request queues. When processing a request to set or change this mapping, some input validation (e.g., for an integer overflow) was missing or flawed, leading to OOB access in hash handling. A malicious or buggy frontend may cause the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in one or more of privilege escalation, Denial of Service (DoS), or information leaks. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15471 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-18883 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen 4.9.x through 4.11.x, on Intel x86 platforms, allowing x86 HVM and PVH guests to cause a host OS denial of service (NULL pointer dereference) or possibly have unspecified other impact because nested VT-x is not properly restricted. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18883 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-19961 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because TLB flushes do not always occur after IOMMU mapping changes. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19961 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-19962 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.11.x on AMD x86 platforms, possibly allowing guest OS users to gain host OS privileges because small IOMMU mappings are unsafely combined into larger ones. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19962 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-19963 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen 4.11 allowing HVM guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because x86 IOREQ server resource accounting (for external emulators) was mishandled. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19963 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-19964 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen 4.11.x allowing x86 guest OS users to cause a denial of service (host OS hang) because the p2m lock remains unavailable indefinitely in certain error conditions. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19964 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-19965 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.11.x allowing 64-bit PV guest OS users to cause a denial of service (host OS crash) because #GP[0] can occur after a non-canonical address is passed to the TLB flushing code. NOTE: this issue exists because of an incorrect CVE-2017-5754 (aka Meltdown) mitigation. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19965 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-19966 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service (host OS crash) or possibly gain host OS privileges because of an interpretation conflict for a union data structure associated with shadow paging. NOTE: this issue exists because of an incorrect fix for CVE-2017-15595. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19966 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-19967 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.11.x on Intel x86 platforms allowing guest OS users to cause a denial of service (host OS hang) because Xen does not work around Intel's mishandling of certain HLE transactions associated with the KACQUIRE instruction prefix. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19967 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-5244 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-253 MSR emulation memory leak CVE SUMMARY: In Xen 4.10, new infrastructure was introduced as part of an overhaul to how MSR emulation happens for guests. Unfortunately, one tracking structure isn't freed when a vcpu is destroyed. This allows guest OS administrators to cause a denial of service (host OS memory consumption) by rebooting many times. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5244 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-7540 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.10.x allowing x86 PV guest OS users to cause a denial of service (host OS CPU hang) via non-preemptable L3/L4 pagetable freeing. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7540 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-7541 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.10.x allowing guest OS users to cause a denial of service (hypervisor crash) or gain privileges by triggering a grant-table transition from v2 to v1. CVSS v2 BASE SCORE: 6.1 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7541 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-7542 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen 4.8.x through 4.10.x allowing x86 PVH guest OS users to cause a denial of service (NULL pointer dereference and hypervisor crash) by leveraging the mishandling of configurations that lack a Local APIC. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7542 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2018-8897 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-260 MOV/POP SS debug exception CVE SUMMARY: A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-8897 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-17340 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.11.x allowing x86 guest OS users to cause a denial of service or gain privileges because grant-table transfer requests are mishandled. CVSS v2 BASE SCORE: 6.1 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17340 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-17341 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging a page-writability race condition during addition of a passed-through PCI device. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17341 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-17342 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging a race condition that arose when XENMEM_exchange was introduced. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17342 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-17343 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges by leveraging incorrect use of the HVM physmap concept for PV domains. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17343 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-17344 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service by leveraging a long-running operation that exists to support restartability of PTE updates. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17344 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-17345 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen 4.8.x through 4.11.x allowing x86 PV guest OS users to cause a denial of service because mishandling of failed IOMMU operations causes a bug check during the cleanup of a crashed guest. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17345 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-17346 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because of an incompatibility between Process Context Identifiers (PCID) and TLB flushes. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17346 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-17347 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service or gain privileges because a guest can manipulate its virtualised %cr4 in a way that is incompatible with Linux (and possibly other guest kernels). CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17347 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-17348 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.11.x allowing x86 PV guest OS users to cause a denial of service because of an incompatibility between Process Context Identifiers (PCID) and shadow-pagetable switching. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17348 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-17349 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.12.x allowing Arm domU attackers to cause a denial of service (infinite loop) involving a LoadExcl or StoreExcl operation. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17349 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-17350 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.12.x allowing Arm domU attackers to cause a denial of service (infinite loop) involving a compare-and-exchange operation. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17350 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-17351 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in drivers/xen/balloon.c in the Linux kernel before 5.2.3, as used in Xen through 4.12.x, allowing guest OS users to cause a denial of service because of unrestricted resource consumption during the mapping of guest memory, aka CID-6ef36ab967c7. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17351 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-18420 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via a VCPUOP_initialise hypercall. hypercall_create_continuation() is a variadic function which uses a printf-like format string to interpret its parameters. Error handling for a bad format character was done using BUG(), which crashes Xen. One path, via the VCPUOP_initialise hypercall, has a bad format character. The BUG() can be hit if VCPUOP_initialise executes for a sufficiently long period of time for a continuation to be created. Malicious guests may cause a hypervisor crash, resulting in a Denial of Service (DoS). Xen versions 4.6 and newer are vulnerable. Xen versions 4.5 and earlier are not vulnerable. Only x86 PV guests can exploit the vulnerability. HVM and PVH guests, and guests on ARM systems, cannot exploit the vulnerability. CVSS v2 BASE SCORE: 6.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18420 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-18421 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to gain host OS privileges by leveraging race conditions in pagetable promotion and demotion operations. There are issues with restartable PV type change operations. To avoid using shadow pagetables for PV guests, Xen exposes the actual hardware pagetables to the guest. In order to prevent the guest from modifying these page tables directly, Xen keeps track of how pages are used using a type system; pages must be "promoted" before being used as a pagetable, and "demoted" before being used for any other type. Xen also allows for "recursive" promotions: i.e., an operating system promoting a page to an L4 pagetable may end up causing pages to be promoted to L3s, which may in turn cause pages to be promoted to L2s, and so on. These operations may take an arbitrarily large amount of time, and so must be re-startable. Unfortunately, making recursive pagetable promotion and demotion operations restartable is incredibly complicated, and the code contains several races which, if triggered, can cause Xen to drop or retain extra type counts, potentially allowing guests to get write access to in-use pagetables. A malicious PV guest administrator may be able to escalate their privilege to that of the host. All x86 systems with untrusted PV guests are vulnerable. HVM and PVH guests cannot exercise this vulnerability. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18421 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-18422 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service or gain privileges by leveraging the erroneous enabling of interrupts. Interrupts are unconditionally unmasked in exception handlers. When an exception occurs on an ARM system which is handled without changing processor level, some interrupts are unconditionally enabled during exception entry. So exceptions which occur when interrupts are masked will effectively unmask the interrupts. A malicious guest might contrive to arrange for critical Xen code to run with interrupts erroneously enabled. This could lead to data corruption, denial of service, or possibly even privilege escalation. However a precise attack technique has not been identified. CVSS v2 BASE SCORE: 8.5 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18422 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-18423 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service via a XENMEM_add_to_physmap hypercall. p2m->max_mapped_gfn is used by the functions p2m_resolve_translation_fault() and p2m_get_entry() to sanity check guest physical frame. The rest of the code in the two functions will assume that there is a valid root table and check that with BUG_ON(). The function p2m_get_root_pointer() will ignore the unused top bits of a guest physical frame. This means that the function p2m_set_entry() will alias the frame. However, p2m->max_mapped_gfn will be updated using the original frame. It would be possible to set p2m->max_mapped_gfn high enough to cover a frame that would lead p2m_get_root_pointer() to return NULL in p2m_get_entry() and p2m_resolve_translation_fault(). Additionally, the sanity check on p2m->max_mapped_gfn is off-by-one allowing "highest mapped + 1" to be considered valid. However, p2m_get_root_pointer() will return NULL. The problem could be triggered with a specially crafted hypercall XENMEM_add_to_physmap{, _batch} followed by an access to an address (via hypercall or direct access) that passes the sanity check but cause p2m_get_root_pointer() to return NULL. A malicious guest administrator may cause a hypervisor crash, resulting in a Denial of Service (DoS). Xen version 4.8 and newer are vulnerable. Only Arm systems are vulnerable. x86 systems are not affected. CVSS v2 BASE SCORE: 8.5 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18423 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-18424 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a situation where an untrusted domain has access to a physical device. This occurs because passed through PCI devices may corrupt host memory after deassignment. When a PCI device is assigned to an untrusted domain, it is possible for that domain to program the device to DMA to an arbitrary address. The IOMMU is used to protect the host from malicious DMA by making sure that the device addresses can only target memory assigned to the guest. However, when the guest domain is torn down, or the device is deassigned, the device is assigned back to dom0, thus allowing any in-flight DMA to potentially target critical host data. An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation. Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18424 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-18425 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.12.x allowing 32-bit PV guest OS users to gain guest OS privileges by installing and using descriptors. There is missing descriptor table limit checking in x86 PV emulation. When emulating certain PV guest operations, descriptor table accesses are performed by the emulating code. Such accesses should respect the guest specified limits, unless otherwise guaranteed to fail in such a case. Without this, emulation of 32-bit guest user mode calls through call gates would allow guest user mode to install and then use descriptors of their choice, as long as the guest kernel did not itself install an LDT. (Most OSes don't install any LDT by default). 32-bit PV guest user mode can elevate its privileges to that of the guest kernel. Xen versions from at least 3.2 onwards are affected. Only 32-bit PV guest user mode can leverage this vulnerability. HVM, PVH, as well as 64-bit PV guests cannot leverage this vulnerability. Arm systems are unaffected. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18425 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-19577 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.12.x allowing x86 AMD HVM guest OS users to cause a denial of service or possibly gain privileges by triggering data-structure access during pagetable-height updates. When running on AMD systems with an IOMMU, Xen attempted to dynamically adapt the number of levels of pagetables (the pagetable height) in the IOMMU according to the guest's address space size. The code to select and update the height had several bugs. Notably, the update was done without taking a lock which is necessary for safe operation. A malicious guest administrator can cause Xen to access data structures while they are being modified, causing Xen to crash. Privilege escalation is thought to be very difficult but cannot be ruled out. Additionally, there is a potential memory leak of 4kb per guest boot, under memory pressure. Only Xen on AMD CPUs is vulnerable. Xen running on Intel CPUs is not vulnerable. ARM systems are not vulnerable. Only systems where guests are given direct access to physical devices are vulnerable. Systems which do not use PCI pass-through are not vulnerable. Only HVM guests can exploit the vulnerability. PV and PVH guests cannot. All versions of Xen with IOMMU support are vulnerable. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19577 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-19578 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service via degenerate chains of linear pagetables, because of an incorrect fix for CVE-2017-15595. "Linear pagetables" is a technique which involves either pointing a pagetable at itself, or to another pagetable of the same or higher level. Xen has limited support for linear pagetables: A page may either point to itself, or point to another pagetable of the same level (i.e., L2 to L2, L3 to L3, and so on). XSA-240 introduced an additional restriction that limited the "depth" of such chains by allowing pages to either *point to* other pages of the same level, or *be pointed to* by other pages of the same level, but not both. To implement this, we keep track of the number of outstanding times a page points to or is pointed to another page table, to prevent both from happening at the same time. Unfortunately, the original commit introducing this reset this count when resuming validation of a partially-validated pagetable, incorrectly dropping some "linear_pt_entry" counts. If an attacker could engineer such a situation to occur, they might be able to make loops or other arbitrary chains of linear pagetables, as described in XSA-240. A malicious or buggy PV guest may cause the hypervisor to crash, resulting in Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be excluded. All versions of Xen are vulnerable. Only x86 systems are affected. Arm systems are not affected. Only x86 PV guests can leverage the vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability. Only systems which have enabled linear pagetables are vulnerable. Systems which have disabled linear pagetables, either by selecting CONFIG_PV_LINEAR_PT=n when building the hypervisor, or adding pv-linear-pt=false on the command-line, are not vulnerable. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19578 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-19579 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a situation where an untrusted domain has access to a physical device (and assignable-add is not used), because of an incomplete fix for CVE-2019-18424. XSA-302 relies on the use of libxl's "assignable-add" feature to prepare devices to be assigned to untrusted guests. Unfortunately, this is not considered a strictly required step for device assignment. The PCI passthrough documentation on the wiki describes alternate ways of preparing devices for assignment, and libvirt uses its own ways as well. Hosts where these "alternate" methods are used will still leave the system in a vulnerable state after the device comes back from a guest. An untrusted domain with access to a physical device can DMA into host memory, leading to privilege escalation. Only systems where guests are given direct access to physical devices capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19579 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-19580 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to gain host OS privileges by leveraging race conditions in pagetable promotion and demotion operations, because of an incomplete fix for CVE-2019-18421. XSA-299 addressed several critical issues in restartable PV type change operations. Despite extensive testing and auditing, some corner cases were missed. A malicious PV guest administrator may be able to escalate their privilege to that of the host. All security-supported versions of Xen are vulnerable. Only x86 systems are affected. Arm systems are not affected. Only x86 PV guests can leverage the vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability. Note that these attacks require very precise timing, which may be difficult to exploit in practice. CVSS v2 BASE SCORE: 6.0 CVSS v3 BASE SCORE: 6.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19580 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-19581 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.12.x allowing 32-bit Arm guest OS users to cause a denial of service (out-of-bounds access) because certain bit iteration is mishandled. In a number of places bitmaps are being used by the hypervisor to track certain state. Iteration over all bits involves functions which may misbehave in certain corner cases: On 32-bit Arm accesses to bitmaps with bit a count which is a multiple of 32, an out of bounds access may occur. A malicious guest may cause a hypervisor crash or hang, resulting in a Denial of Service (DoS). All versions of Xen are vulnerable. 32-bit Arm systems are vulnerable. 64-bit Arm systems are not vulnerable. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19581 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-19582 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.12.x allowing x86 guest OS users to cause a denial of service (infinite loop) because certain bit iteration is mishandled. In a number of places bitmaps are being used by the hypervisor to track certain state. Iteration over all bits involves functions which may misbehave in certain corner cases: On x86 accesses to bitmaps with a compile time known size of 64 may incur undefined behavior, which may in particular result in infinite loops. A malicious guest may cause a hypervisor crash or hang, resulting in a Denial of Service (DoS). All versions of Xen are vulnerable. x86 systems with 64 or more nodes are vulnerable (there might not be any such systems that Xen would run on). x86 systems with less than 64 nodes are not vulnerable. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19582 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2019-19583 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.12.x allowing x86 HVM/PVH guest OS users to cause a denial of service (guest OS crash) because VMX VMEntry checks mishandle a certain case. Please see XSA-260 for background on the MovSS shadow. Please see XSA-156 for background on the need for #DB interception. The VMX VMEntry checks do not like the exact combination of state which occurs when #DB in intercepted, Single Stepping is active, and blocked by STI/MovSS is active, despite this being a legitimate state to be in. The resulting VMEntry failure is fatal to the guest. HVM/PVH guest userspace code may be able to crash the guest, resulting in a guest Denial of Service. All versions of Xen are affected. Only systems supporting VMX hardware virtual extensions (Intel, Cyrix, or Zhaoxin CPUs) are affected. Arm and AMD systems are unaffected. Only HVM/PVH guests are affected. PV guests cannot leverage the vulnerability. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19583 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-11739 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service or possibly gain privileges because of missing memory barriers in read-write unlock paths. The read-write unlock paths don't contain a memory barrier. On Arm, this means a processor is allowed to re-order the memory access with the preceding ones. In other words, the unlock may be seen by another processor before all the memory accesses within the "critical" section. As a consequence, it may be possible to have a writer executing a critical section at the same time as readers or another writer. In other words, many of the assumptions (e.g., a variable cannot be modified after a check) in the critical sections are not safe anymore. The read-write locks are used in hypercalls (such as grant-table ones), so a malicious guest could exploit the race. For instance, there is a small window where Xen can leak memory if XENMAPSPACE_grant_table is used concurrently. A malicious guest may be able to leak memory, or cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11739 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-11740 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (without active profiling) to obtain sensitive information about other guests. Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests. These buffers were not scrubbed. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11740 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-11741 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (with active profiling) to obtain sensitive information about other guests, cause a denial of service, or possibly gain privileges. For guests for which "active" profiling was enabled by the administrator, the xenoprof code uses the standard Xen shared ring structure. Unfortunately, this code did not treat the guest as a potential adversary: it trusts the guest not to modify buffer size information or modify head / tail pointers in unexpected ways. This can crash the host (DoS). Privilege escalation cannot be ruled out. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11741 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-11742 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service because of bad continuation handling in GNTTABOP_copy. Grant table operations are expected to return 0 for success, and a negative number for errors. The fix for CVE-2017-12135 introduced a path through grant copy handling where success may be returned to the caller without any action taken. In particular, the status fields of individual operations are left uninitialised, and may result in errant behaviour in the caller of GNTTABOP_copy. A buggy or malicious guest can construct its grant table in such a way that, when a backend domain tries to copy a grant, it hits the incorrect exit path. This returns success to the caller without doing anything, which may cause crashes or other incorrect behaviour. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11742 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-11743 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service because of a bad error path in GNTTABOP_map_grant. Grant table operations are expected to return 0 for success, and a negative number for errors. Some misplaced brackets cause one error path to return 1 instead of a negative value. The grant table code in Linux treats this condition as success, and proceeds with incorrectly initialised state. A buggy or malicious guest can construct its grant table in such a way that, when a backend domain tries to map a grant, it hits the incorrect error path. This will crash a Linux based dom0 or backend domain. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11743 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-15563 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.13.x, allowing x86 HVM guest OS users to cause a hypervisor crash. An inverted conditional in x86 HVM guests' dirty video RAM tracking code allows such guests to make Xen de-reference a pointer guaranteed to point at unmapped space. A malicious or buggy HVM guest may cause the hypervisor to crash, resulting in Denial of Service (DoS) affecting the entire host. Xen versions from 4.8 onwards are affected. Xen versions 4.7 and earlier are not affected. Only x86 systems are affected. Arm systems are not affected. Only x86 HVM guests using shadow paging can leverage the vulnerability. In addition, there needs to be an entity actively monitoring a guest's video frame buffer (typically for display purposes) in order for such a guest to be able to leverage the vulnerability. x86 PV guests, as well as x86 HVM guests using hardware assisted paging (HAP), cannot leverage the vulnerability. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15563 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-15564 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.13.x, allowing Arm guest OS users to cause a hypervisor crash because of a missing alignment check in VCPUOP_register_vcpu_info. The hypercall VCPUOP_register_vcpu_info is used by a guest to register a shared region with the hypervisor. The region will be mapped into Xen address space so it can be directly accessed. On Arm, the region is accessed with instructions that require a specific alignment. Unfortunately, there is no check that the address provided by the guest will be correctly aligned. As a result, a malicious guest could cause a hypervisor crash by passing a misaligned address. A malicious guest administrator may cause a hypervisor crash, resulting in a Denial of Service (DoS). All Xen versions are vulnerable. Only Arm systems are vulnerable. x86 systems are not affected. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15564 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-15565 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore, IOMMUs may be non-coherent, and hence prior to flushing IOMMU TLBs, a CPU cache also needs writing back to memory after changes were made. Such writing back of cached data was missing in particular when splitting large page mappings into smaller granularity ones. A malicious guest may be able to retain read/write DMA access to frames returned to Xen's free pool, and later reused for another purpose. Host crashes (leading to a Denial of Service) and privilege escalation cannot be ruled out. Xen versions from at least 3.2 onwards are affected. Only x86 Intel systems are affected. x86 AMD as well as Arm systems are not affected. Only x86 HVM guests using hardware assisted paging (HAP), having a passed through PCI device assigned, and having page table sharing enabled can leverage the vulnerability. Note that page table sharing will be enabled (by default) only if Xen considers IOMMU and CPU large page size support compatible. CVSS v2 BASE SCORE: 6.1 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15565 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-15566 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a host OS crash because of incorrect error handling in event-channel port allocation. The allocation of an event-channel port may fail for multiple reasons: (1) port is already in use, (2) the memory allocation failed, or (3) the port we try to allocate is higher than what is supported by the ABI (e.g., 2L or FIFO) used by the guest or the limit set by an administrator (max_event_channels in xl cfg). Due to the missing error checks, only (1) will be considered an error. All the other cases will provide a valid port and will result in a crash when trying to access the event channel. When the administrator configured a guest to allow more than 1023 event channels, that guest may be able to crash the host. When Xen is out-of-memory, allocation of new event channels will result in crashing the host rather than reporting an error. Xen versions 4.10 and later are affected. All architectures are affected. The default configuration, when guests are created with xl/libxl, is not vulnerable, because of the default event-channel limit. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15566 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-15567 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.13.x, allowing Intel guest OS users to gain privileges or cause a denial of service because of non-atomic modification of a live EPT PTE. When mapping guest EPT (nested paging) tables, Xen would in some circumstances use a series of non-atomic bitfield writes. Depending on the compiler version and optimisation flags, Xen might expose a dangerous partially written PTE to the hardware, which an attacker might be able to race to exploit. A guest administrator or perhaps even an unprivileged guest user might be able to cause denial of service, data corruption, or privilege escalation. Only systems using Intel CPUs are vulnerable. Systems using AMD CPUs, and Arm systems, are not vulnerable. Only systems using nested paging (hap, aka nested paging, aka in this case Intel EPT) are vulnerable. Only HVM and PVH guests can exploit the vulnerability. The presence and scope of the vulnerability depends on the precise optimisations performed by the compiler used to build Xen. If the compiler generates (a) a single 64-bit write, or (b) a series of read-modify-write operations in the same order as the source code, the hypervisor is not vulnerable. For example, in one test build using GCC 8.3 with normal settings, the compiler generated multiple (unlocked) read-modify-write operations in source-code order, which did not constitute a vulnerability. We have not been able to survey compilers; consequently we cannot say which compiler(s) might produce vulnerable code (with which code-generation options). The source code clearly violates the C rules, and thus should be considered vulnerable. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15567 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-15852 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the Linux kernel 5.5 through 5.7.9, as used in Xen through 4.13.x for x86 PV guests. An attacker may be granted the I/O port permissions of an unrelated task. This occurs because tss_invalidate_io_bitmap mishandling causes a loss of synchronization between the I/O bitmaps of TSS and Xen, aka CID-cadfad870154. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15852 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-25595 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x. The PCI passthrough code improperly uses register data. Code paths in Xen's MSI handling have been identified that act on unsanitized values read back from device hardware registers. While devices strictly compliant with PCI specifications shouldn't be able to affect these registers, experience shows that it's very common for devices to have out-of-spec "backdoor" operations that can affect the result of these reads. A not fully trusted guest may be able to crash Xen, leading to a Denial of Service (DoS) for the entire system. Privilege escalation and information leaks cannot be excluded. All versions of Xen supporting PCI passthrough are affected. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only guests with passed through PCI devices may be able to leverage the vulnerability. Only systems passing through devices with out-of-spec ("backdoor") functionality can cause issues. Experience shows that such out-of-spec functionality is common; unless you have reason to believe that your device does not have such functionality, it's better to assume that it does. CVSS v2 BASE SCORE: 6.1 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25595 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-25596 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. This causes the guest kernel to observe a kernel-privilege #GP fault (typically fatal) rather than a user-privilege #GP fault (usually converted into SIGSEGV/etc.). Malicious or buggy userspace can crash the guest kernel, resulting in a VM Denial of Service. All versions of Xen from 3.2 onwards are vulnerable. Only x86 systems are vulnerable. ARM platforms are not vulnerable. Only x86 systems that support the SYSENTER instruction in 64bit mode are vulnerable. This is believed to be Intel, Centaur, and Shanghai CPUs. AMD and Hygon CPUs are not believed to be vulnerable. Only x86 PV guests can exploit the vulnerability. x86 PVH / HVM guests cannot exploit the vulnerability. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25596 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-25597 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. However, operations like the resetting of all event channels may involve decreasing one of the bounds checked when determining validity. This may lead to bug checks triggering, crashing the host. An unprivileged guest may be able to crash Xen, leading to a Denial of Service (DoS) for the entire system. All Xen versions from 4.4 onwards are vulnerable. Xen versions 4.3 and earlier are not vulnerable. Only systems with untrusted guests permitted to create more than the default number of event channels are vulnerable. This number depends on the architecture and type of guest. For 32-bit x86 PV guests, this is 1023; for 64-bit x86 PV guests, and for all ARM guests, this number is 4095. Systems where untrusted guests are limited to fewer than this number are not vulnerable. Note that xl and libxl limit max_event_channels to 1023 by default, so systems using exclusively xl, libvirt+libxl, or their own toolstack based on libxl, and not explicitly setting max_event_channels, are not vulnerable. CVSS v2 BASE SCORE: 6.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25597 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-25598 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar to forgetting to unlock a spinlock. A buggy or malicious HVM stubdomain can cause an RCU reference to be leaked. This causes subsequent administration operations, (e.g., CPU offline) to livelock, resulting in a host Denial of Service. The buggy codepath has been present since Xen 4.12. Xen 4.14 and later are vulnerable to the DoS. The side effects are believed to be benign on Xen 4.12 and 4.13, but patches are provided nevertheless. The vulnerability can generally only be exploited by x86 HVM VMs, as these are generally the only type of VM that have a Qemu stubdomain. x86 PV and PVH domains, as well as ARM VMs, typically don't use a stubdomain. Only VMs using HVM stubdomains can exploit the vulnerability. VMs using PV stubdomains, or with emulators running in dom0, cannot exploit the vulnerability. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25598 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-25599 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory accesses or triggering of bug checks. In particular, x86 PV guests may be able to elevate their privilege to that of the host. Host and guest crashes are also possible, leading to a Denial of Service (DoS). Information leaks cannot be ruled out. All Xen versions from 4.5 onwards are vulnerable. Xen versions 4.4 and earlier are not vulnerable. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25599 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-25600 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains can use only 1023 channels, due to limited space in their shared (between guest and Xen) information structure, whereas all other domains can use up to 4095 in this model. The recording of the respective limit during domain initialization, however, has occurred at a time where domains are still deemed to be 64-bit ones, prior to actually honoring respective domain properties. At the point domains get recognized as 32-bit ones, the limit didn't get updated accordingly. Due to this misbehavior in Xen, 32-bit domains (including Domain 0) servicing other domains may observe event channel allocations to succeed when they should really fail. Subsequent use of such event channels would then possibly lead to corruption of other parts of the shared info structure. An unprivileged guest may cause another domain, in particular Domain 0, to misbehave. This may lead to a Denial of Service (DoS) for the entire system. All Xen versions from 4.4 onwards are vulnerable. Xen versions 4.3 and earlier are not vulnerable. Only x86 32-bit domains servicing other domains are vulnerable. Arm systems, as well as x86 64-bit domains, are not vulnerable. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25600 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-25601 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x. There is a lack of preemption in evtchn_reset() / evtchn_destroy(). In particular, the FIFO event channel model allows guests to have a large number of event channels active at a time. Closing all of these (when resetting all event channels or when cleaning up after the guest) may take extended periods of time. So far, there was no arrangement for preemption at suitable intervals, allowing a CPU to spend an almost unbounded amount of time in the processing of these operations. Malicious or buggy guest kernels can mount a Denial of Service (DoS) attack affecting the entire system. All Xen versions are vulnerable in principle. Whether versions 4.3 and older are vulnerable depends on underlying hardware characteristics. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25601 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-25602 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x. An x86 PV guest can trigger a host OS crash when handling guest access to MSR_MISC_ENABLE. When a guest accesses certain Model Specific Registers, Xen first reads the value from hardware to use as the basis for auditing the guest access. For the MISC_ENABLE MSR, which is an Intel specific MSR, this MSR read is performed without error handling for a #GP fault, which is the consequence of trying to read this MSR on non-Intel hardware. A buggy or malicious PV guest administrator can crash Xen, resulting in a host Denial of Service. Only x86 systems are vulnerable. ARM systems are not vulnerable. Only Xen versions 4.11 and onwards are vulnerable. 4.10 and earlier are not vulnerable. Only x86 systems that do not implement the MISC_ENABLE MSR (0x1a0) are vulnerable. AMD and Hygon systems do not implement this MSR and are vulnerable. Intel systems do implement this MSR and are not vulnerable. Other manufacturers have not been checked. Only x86 PV guests can exploit the vulnerability. x86 HVM/PVH guests cannot exploit the vulnerability. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25602 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-25603 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x. There are missing memory barriers when accessing/allocating an event channel. Event channels control structures can be accessed lockless as long as the port is considered to be valid. Such a sequence is missing an appropriate memory barrier (e.g., smp_*mb()) to prevent both the compiler and CPU from re-ordering access. A malicious guest may be able to cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded. Systems running all versions of Xen are affected. Whether a system is vulnerable will depend on the CPU and compiler used to build Xen. For all systems, the presence and the scope of the vulnerability depend on the precise re-ordering performed by the compiler used to build Xen. We have not been able to survey compilers; consequently we cannot say which compiler(s) might produce vulnerable code (with which code generation options). GCC documentation clearly suggests that re-ordering is possible. Arm systems will also be vulnerable if the CPU is able to re-order memory access. Please consult your CPU vendor. x86 systems are only vulnerable if a compiler performs re-ordering. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25603 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-25604 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x. There is a race condition when migrating timers between x86 HVM vCPUs. When migrating timers of x86 HVM guests between its vCPUs, the locking model used allows for a second vCPU of the same guest (also operating on the timers) to release a lock that it didn't acquire. The most likely effect of the issue is a hang or crash of the hypervisor, i.e., a Denial of Service (DoS). All versions of Xen are affected. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only x86 HVM guests can leverage the vulnerability. x86 PV and PVH cannot leverage the vulnerability. Only guests with more than one vCPU can exploit the vulnerability. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25604 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-27670 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cause a denial of service (data corruption), cause a data leak, or possibly gain privileges because an AMD IOMMU page-table entry can be half-updated. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27670 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-27671 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x allowing x86 HVM and PVH guest OS users to cause a denial of service (data corruption), cause a data leak, or possibly gain privileges because coalescing of per-page IOMMU TLB flushes is mishandled. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27671 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-27672 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cause a host OS denial of service, achieve data corruption, or possibly gain privileges by exploiting a race condition that leads to a use-after-free involving 2MiB and 1GiB superpages. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27672 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-27673 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27673 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-27674 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27674 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-28368 CVE STATUS: Patched CVE SUMMARY: Xen through 4.14.x allows guest OS administrators to obtain sensitive information (such as AES keys from outside the guest) via a side-channel attack on a power/energy monitoring interface, aka a "Platypus" attack. NOTE: there is only one logically independent fix: to change the access control for each such interface in Xen. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28368 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-29040 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x allowing x86 HVM guest OS users to cause a denial of service (stack corruption), cause a data leak, or possibly gain privileges because of an off-by-one error. NOTE: this issue is caused by an incorrect fix for CVE-2020-27671. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29040 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-29479 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x. In the Ocaml xenstored implementation, the internal representation of the tree has special cases for the root node, because this node has no parent. Unfortunately, permissions were not checked for certain operations on the root node. Unprivileged guests can get and modify permissions, list, and delete the root node. (Deleting the whole xenstore tree is a host-wide denial of service.) Achieving xenstore write access is also possible. All systems using oxenstored are vulnerable. Building and using oxenstored is the default in the upstream Xen distribution, if the Ocaml compiler is available. Systems using C xenstored are not vulnerable. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29479 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-29480 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x. Neither xenstore implementation does any permission checks when reporting a xenstore watch event. A guest administrator can watch the root xenstored node, which will cause notifications for every created, modified, and deleted key. A guest administrator can also use the special watches, which will cause a notification every time a domain is created and destroyed. Data may include: number, type, and domids of other VMs; existence and domids of driver domains; numbers of virtual interfaces, block devices, vcpus; existence of virtual framebuffers and their backend style (e.g., existence of VNC service); Xen VM UUIDs for other domains; timing information about domain creation and device setup; and some hints at the backend provisioning of VMs and their devices. The watch events do not contain values stored in xenstore, only key names. A guest administrator can observe non-sensitive domain and device lifecycle events relating to other guests. This information allows some insight into overall system configuration (including the number and general nature of other guests), and configuration of other guests (including the number and general nature of other guests' devices). This information might be commercially interesting or might make other attacks easier. There is not believed to be exposure of sensitive data. Specifically, there is no exposure of VNC passwords, port numbers, pathnames in host and guest filesystems, cryptographic keys, or within-guest data. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 2.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29480 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-29481 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x. Access rights of Xenstore nodes are per domid. Unfortunately, existing granted access rights are not removed when a domain is being destroyed. This means that a new domain created with the same domid will inherit the access rights to Xenstore nodes from the previous domain(s) with the same domid. Because all Xenstore entries of a guest below /local/domain/ are being deleted by Xen tools when a guest is destroyed, only Xenstore entries of other guests still running are affected. For example, a newly created guest domain might be able to read sensitive information that had belonged to a previously existing guest domain. Both Xenstore implementations (C and Ocaml) are vulnerable. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29481 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-29482 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x. A guest may access xenstore paths via absolute paths containing a full pathname, or via a relative path, which implicitly includes /local/domain/$DOMID for their own domain id. Management tools must access paths in guests' namespaces, necessarily using absolute paths. oxenstored imposes a pathname limit that is applied solely to the relative or absolute path specified by the client. Therefore, a guest can create paths in its own namespace which are too long for management tools to access. Depending on the toolstack in use, a malicious guest administrator might cause some management tools and debugging operations to fail. For example, a guest administrator can cause "xenstore-ls -r" to fail. However, a guest administrator cannot prevent the host administrator from tearing down the domain. All systems using oxenstored are vulnerable. Building and using oxenstored is the default in the upstream Xen distribution, if the Ocaml compiler is available. Systems using C xenstored are not vulnerable. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29482 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-29483 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x. Xenstored and guests communicate via a shared memory page using a specific protocol. When a guest violates this protocol, xenstored will drop the connection to that guest. Unfortunately, this is done by just removing the guest from xenstored's internal management, resulting in the same actions as if the guest had been destroyed, including sending an @releaseDomain event. @releaseDomain events do not say that the guest has been removed. All watchers of this event must look at the states of all guests to find the guest that has been removed. When an @releaseDomain is generated due to a domain xenstored protocol violation, because the guest is still running, the watchers will not react. Later, when the guest is actually destroyed, xenstored will no longer have it stored in its internal data base, so no further @releaseDomain event will be sent. This can lead to a zombie domain; memory mappings of that guest's memory will not be removed, due to the missing event. This zombie domain will be cleaned up only after another domain is destroyed, as that will trigger another @releaseDomain event. If the device model of the guest that violated the Xenstore protocol is running in a stub-domain, a use-after-free case could happen in xenstored, after having removed the guest from its internal data base, possibly resulting in a crash of xenstored. A malicious guest can block resources of the host for a period after its own death. Guests with a stub domain device model can eventually crash xenstored, resulting in a more serious denial of service (the prevention of any further domain management operations). Only the C variant of Xenstore is affected; the Ocaml variant is not affected. Only HVM guests with a stubdom device model can cause a serious DoS. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29483 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-29484 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x. When a Xenstore watch fires, the xenstore client that registered the watch will receive a Xenstore message containing the path of the modified Xenstore entry that triggered the watch, and the tag that was specified when registering the watch. Any communication with xenstored is done via Xenstore messages, consisting of a message header and the payload. The payload length is limited to 4096 bytes. Any request to xenstored resulting in a response with a payload longer than 4096 bytes will result in an error. When registering a watch, the payload length limit applies to the combined length of the watched path and the specified tag. Because watches for a specific path are also triggered for all nodes below that path, the payload of a watch event message can be longer than the payload needed to register the watch. A malicious guest that registers a watch using a very large tag (i.e., with a registration operation payload length close to the 4096 byte limit) can cause the generation of watch events with a payload length larger than 4096 bytes, by writing to Xenstore entries below the watched path. This will result in an error condition in xenstored. This error can result in a NULL pointer dereference, leading to a crash of xenstored. A malicious guest administrator can cause xenstored to crash, leading to a denial of service. Following a xenstored crash, domains may continue to run, but management operations will be impossible. Only C xenstored is affected, oxenstored is not affected. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29484 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-29485 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen 4.6 through 4.14.x. When acting upon a guest XS_RESET_WATCHES request, not all tracking information is freed. A guest can cause unbounded memory usage in oxenstored. This can lead to a system-wide DoS. Only systems using the Ocaml Xenstored implementation are vulnerable. Systems using the C Xenstored implementation are not vulnerable. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29485 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-29486 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x. Nodes in xenstore have an ownership. In oxenstored, a owner could give a node away. However, node ownership has quota implications. Any guest can run another guest out of quota, or create an unbounded number of nodes owned by dom0, thus running xenstored out of memory A malicious guest administrator can cause a denial of service against a specific guest or against the whole host. All systems using oxenstored are vulnerable. Building and using oxenstored is the default in the upstream Xen distribution, if the Ocaml compiler is available. Systems using C xenstored are not vulnerable. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29486 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-29566 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x. When they require assistance from the device model, x86 HVM guests must be temporarily de-scheduled. The device model will signal Xen when it has completed its operation, via an event channel, so that the relevant vCPU is rescheduled. If the device model were to signal Xen without having actually completed the operation, the de-schedule / re-schedule cycle would repeat. If, in addition, Xen is resignalled very quickly, the re-schedule may occur before the de-schedule was fully complete, triggering a shortcut. This potentially repeating process uses ordinary recursive function calls, and thus could result in a stack overflow. A malicious or buggy stubdomain serving a HVM guest can cause Xen to crash, resulting in a Denial of Service (DoS) to the entire host. Only x86 systems are affected. Arm systems are not affected. Only x86 stubdomains serving HVM guests can exploit the vulnerability. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29566 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-29567 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen 4.14.x. When moving IRQs between CPUs to distribute the load of IRQ handling, IRQ vectors are dynamically allocated and de-allocated on the relevant CPUs. De-allocation has to happen when certain constraints are met. If these conditions are not met when first checked, the checking CPU may send an interrupt to itself, in the expectation that this IRQ will be delivered only after the condition preventing the cleanup has cleared. For two specific IRQ vectors, this expectation was violated, resulting in a continuous stream of self-interrupts, which renders the CPU effectively unusable. A domain with a passed through PCI device can cause lockup of a physical CPU, resulting in a Denial of Service (DoS) to the entire host. Only x86 systems are vulnerable. Arm systems are not vulnerable. Only guests with physical PCI devices passed through to them can exploit the vulnerability. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29567 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-29568 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x. Some OSes (such as Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued. As the queue is unbounded, a guest may be able to trigger an OOM in the backend. All systems with a FreeBSD, Linux, or NetBSD (any version) dom0 are vulnerable. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29568 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-29569 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the Linux kernel through 5.10.1, as used with Xen through 4.14.x. The Linux kernel PV block backend expects the kernel thread handler to reset ring->xenblkd to NULL when stopped. However, the handler may not have time to run if the frontend quickly toggles between the states connect and disconnect. As a consequence, the block backend may re-use a pointer after it was freed. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. Privilege escalation and information leaks cannot be ruled out. This only affects systems with a Linux blkback. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29569 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-29570 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x. Recording of the per-vCPU control block mapping maintained by Xen and that of pointers into the control block is reversed. The consumer assumes, seeing the former initialized, that the latter are also ready for use. Malicious or buggy guest kernels can mount a Denial of Service (DoS) attack affecting the entire system. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29570 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2020-29571 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.14.x. A bounds check common to most operation time functions specific to FIFO event channels depends on the CPU observing consistent state. While the producer side uses appropriately ordered writes, the consumer side isn't protected against re-ordered reads, and may hence end up de-referencing a NULL pointer. Malicious or buggy guest kernels can mount a Denial of Service (DoS) attack affecting the entire system. Only Arm systems may be vulnerable. Whether a system is vulnerable depends on the specific CPU. x86 systems are not vulnerable. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29571 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-26313 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-375 Speculative Code Store Bypass CVE SUMMARY: Potential speculative code store bypass in all supported CPU products, in conjunction with software vulnerabilities relating to speculative execution of overwritten instructions, may cause an incorrect speculation and could result in data leakage. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-26313 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-26314 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-375 AMD FPVI; XSA explicitly states Xen is not vulnerable CVE SUMMARY: Potential floating point value injection in all supported CPU products, in conjunction with software vulnerabilities relating to speculative execution with incorrect floating point results, may cause the use of incorrect data from FPVI and may result in data leakage. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-26314 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-26933 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen 4.9 through 4.14.x. On Arm, a guest is allowed to control whether memory accesses are bypassing the cache. This means that Xen needs to ensure that all writes (such as the ones during scrubbing) have reached the memory before handing over the page to a guest. Unfortunately, the operation to clean the cache is happening before checking if the page was scrubbed. Therefore there is no guarantee when all the writes will reach the memory. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-26933 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-27379 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen through 4.11.x, allowing x86 Intel HVM guest OS users to achieve unintended read/write DMA access, and possibly cause a denial of service (host OS crash) or gain privileges. This occurs because a backport missed a flush, and thus IOMMU updates were not always correct. NOTE: this issue exists because of an incomplete fix for CVE-2020-15565. CVSS v2 BASE SCORE: 5.9 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-27379 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28039 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-369 Linux foreign-page mapping; fix is in Linux CVE SUMMARY: An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen. In some less-common configurations, an x86 PV guest OS user can crash a Dom0 or driver domain via a large amount of I/O activity. The issue relates to misuse of guest physical addresses when a configuration has CONFIG_XEN_UNPOPULATED_ALLOC but not CONFIG_XEN_BALLOON_MEMORY_HOTPLUG. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28039 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28687 CVE STATUS: Patched CVE SUMMARY: HVM soft-reset crashes toolstack libxl requires all data structures passed across its public interface to be initialized before use and disposed of afterwards by calling a specific set of functions. Many internal data structures also require this initialize / dispose discipline, but not all of them. When the "soft reset" feature was implemented, the libxl__domain_suspend_state structure didn't require any initialization or disposal. At some point later, an initialization function was introduced for the structure; but the "soft reset" path wasn't refactored to call the initialization function. When a guest nwo initiates a "soft reboot", uninitialized data structure leads to an assert() when later code finds the structure in an unexpected state. The effect of this is to crash the process monitoring the guest. How this affects the system depends on the structure of the toolstack. For xl, this will have no security-relevant effect: every VM has its own independent monitoring process, which contains no state. The domain in question will hang in a crashed state, but can be destroyed by `xl destroy` just like any other non-cooperating domain. For daemon-based toolstacks linked against libxl, such as libvirt, this will crash the toolstack, losing the state of any in-progress operations (localized DoS), and preventing further administrator operations unless the daemon is configured to restart automatically (system-wide DoS). If crashes "leak" resources, then repeated crashes could use up resources, also causing a system-wide DoS. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28687 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28689 CVE STATUS: Patched CVE SUMMARY: x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests 32-bit x86 PV guest kernels run in ring 1. At the time when Xen was developed, this area of the i386 architecture was rarely used, which is why Xen was able to use it to implement paravirtualisation, Xen's novel approach to virtualization. In AMD64, Xen had to use a different implementation approach, so Xen does not use ring 1 to support 64-bit guests. With the focus now being on 64-bit systems, and the availability of explicit hardware support for virtualization, fixing speculation issues in ring 1 is not a priority for processor companies. Indirect Branch Restricted Speculation (IBRS) is an architectural x86 extension put together to combat speculative execution sidechannel attacks, including Spectre v2. It was retrofitted in microcode to existing CPUs. For more details on Spectre v2, see: http://xenbits.xen.org/xsa/advisory-254.html However, IBRS does not architecturally protect ring 0 from predictions learnt in ring 1. For more details, see: https://software.intel.com/security-software-guidance/deep-dives/deep-dive-indirect-branch-restricted-speculation Similar situations may exist with other mitigations for other kinds of speculative execution attacks. The situation is quite likely to be similar for speculative execution attacks which have yet to be discovered, disclosed, or mitigated. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28689 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28690 CVE STATUS: Patched CVE SUMMARY: x86: TSX Async Abort protections not restored after S3 This issue relates to the TSX Async Abort speculative security vulnerability. Please see https://xenbits.xen.org/xsa/advisory-305.html for details. Mitigating TAA by disabling TSX (the default and preferred option) requires selecting a non-default setting in MSR_TSX_CTRL. This setting isn't restored after S3 suspend. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28690 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28692 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-373 IOMMU completion timeout CVE SUMMARY: inappropriate x86 IOMMU timeout detection / handling IOMMUs process commands issued to them in parallel with the operation of the CPU(s) issuing such commands. In the current implementation in Xen, asynchronous notification of the completion of such commands is not used. Instead, the issuing CPU spin-waits for the completion of the most recently issued command(s). Some of these waiting loops try to apply a timeout to fail overly-slow commands. The course of action upon a perceived timeout actually being detected is inappropriate: - on Intel hardware guests which did not originally cause the timeout may be marked as crashed, - on AMD hardware higher layer callers would not be notified of the issue, making them continue as if the IOMMU operation succeeded. CVSS v2 BASE SCORE: 5.6 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28692 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28693 CVE STATUS: Patched CVE SUMMARY: xen/arm: Boot modules are not scrubbed The bootloader will load boot modules (e.g. kernel, initramfs...) in a temporary area before they are copied by Xen to each domain memory. To ensure sensitive data is not leaked from the modules, Xen must "scrub" them before handing the page over to the allocator. Unfortunately, it was discovered that modules will not be scrubbed on Arm. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28693 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28694 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-378 IOMMU page mapping CVE SUMMARY: IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (CVE-2021-28696). CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28694 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28695 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-378 IOMMU page mapping CVE SUMMARY: IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (CVE-2021-28696). CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28695 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28696 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-378 IOMMU page mapping CVE SUMMARY: IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify regions of memory which should be left untranslated, which typically means these addresses should pass the translation phase unaltered. While these are typically device specific ACPI properties, they can also be specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the identity mappings would be left in place, allowing a guest continued access to ranges of memory which it shouldn't have access to anymore (CVE-2021-28696). CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28696 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28697 CVE STATUS: Patched CVE SUMMARY: grant table v2 status pages may remain accessible after de-allocation Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requires that the hypervisor know where in the guest these pages were mapped. The hypervisor tracks only one use within guest space, but racing requests from the guest to insert mappings of these pages may result in any of them to become mapped in multiple locations. Upon switching back from v2 to v1, the guest would then retain access to a page that was freed and perhaps re-used for other purposes. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28697 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28698 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-380 long loops in grant table CVE SUMMARY: long running loops in grant table handling In order to properly monitor resource use, Xen maintains information on the grant mappings a domain may create to map grants offered by other domains. In the process of carrying out certain actions, Xen would iterate over all such entries, including ones which aren't in use anymore and some which may have been created but never used. If the number of entries for a given domain is large enough, this iterating of the entire table may tie up a CPU for too long, starving other domains or causing issues in the hypervisor itself. Note that a domain may map its own grants, i.e. there is no need for multiple domains to be involved here. A pair of "cooperating" guests may, however, cause the effects to be more severe. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28698 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28699 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-382 grant-v2 status array bounds CVE SUMMARY: inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result, guests also need to be able to retrieve the addresses that the new status tracking table can be accessed through. For 32-bit guests on x86, translation of requests has to occur because the interface structure layouts commonly differ between 32- and 64-bit. The translation of the request to obtain the frame numbers of the grant status table involves translating the resulting array of frame numbers. Since the space used to carry out the translation is limited, the translation layer tells the core function the capacity of the array within translation space. Unfortunately the core function then only enforces array bounds to be below 8 times the specified value, and would write past the available space if enough frame numbers needed storing. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28699 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28700 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-383 dom0less domU memory limit (Arm) CVE SUMMARY: xen/arm: No memory limit for dom0less domUs The dom0less feature allows an administrator to create multiple unprivileged domains directly from Xen. Unfortunately, the memory limit from them is not set. This allow a domain to allocate memory beyond what an administrator originally configured. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 4.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28700 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28701 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-384 XENMAPSPACE_grant_table race CVE SUMMARY: Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing such pages requires that the hypervisor enforce that no parallel request can result in the addition of a mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages that were freed and perhaps re-used for other purposes. Unfortunately, when XSA-379 was being prepared, this similar issue was not noticed. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28701 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28702 CVE STATUS: Patched CVE SUMMARY: PCI devices with RMRRs not deassigned correctly Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR"). These are typically used for platform tasks such as legacy USB emulation. If such a device is passed through to a guest, then on guest shutdown the device is not properly deassigned. The IOMMU configuration for these devices which are not properly deassigned ends up pointing to a freed data structure, including the IO Pagetables. Subsequent DMA or interrupts from the device will have unpredictable behaviour, ranging from IOMMU faults to memory corruption. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28702 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28703 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-387 grant v2 status pages take two (66f400c71d12) CVE SUMMARY: grant table v2 status pages may remain accessible after de-allocation (take two) Guest get permitted access to certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched (back) from v2 to v1. The freeing of such pages requires that the hypervisor know where in the guest these pages were mapped. The hypervisor tracks only one use within guest space, but racing requests from the guest to insert mappings of these pages may result in any of them to become mapped in multiple locations. Upon switching back from v2 to v1, the guest would then retain access to a page that was freed and perhaps re-used for other purposes. This bug was fortuitously fixed by code cleanup in Xen 4.14, and backported to security-supported Xen branches as a prerequisite of the fix for XSA-378. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28703 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28704 CVE STATUS: Patched CVE SUMMARY: PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). The implementation of some of these hypercalls for PoD does not enforce the base page frame number to be suitably aligned for the specified order, yet some code involved in PoD handling actually makes such an assumption. These operations are XENMEM_decrease_reservation (CVE-2021-28704) and XENMEM_populate_physmap (CVE-2021-28707), the latter usable only by domains controlling the guest, i.e. a de-privileged qemu or a stub domain. (Patch 1, combining the fix to both these two issues.) In addition handling of XENMEM_decrease_reservation can also trigger a host crash when the specified page order is neither 4k nor 2M nor 1G (CVE-2021-28708, patch 2). CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28704 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28705 CVE STATUS: Patched CVE SUMMARY: issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). In some cases the hypervisor carries out the requests by splitting them into smaller chunks. Error handling in certain PoD cases has been insufficient in that in particular partial success of some operations was not properly accounted for. There are two code paths affected - page removal (CVE-2021-28705) and insertion of new pages (CVE-2021-28709). (We provide one patch which combines the fix to both issues.) CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28705 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28706 CVE STATUS: Patched CVE SUMMARY: guests may exceed their designated memory limit When a guest is permitted to have close to 16TiB of memory, it may be able to issue hypercalls to increase its memory allocation beyond the administrator established limit. This is a result of a calculation done with 32-bit precision, which may overflow. It would then only be the overflowed (and hence small) number which gets compared against the established upper bound. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28706 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28707 CVE STATUS: Patched CVE SUMMARY: PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). The implementation of some of these hypercalls for PoD does not enforce the base page frame number to be suitably aligned for the specified order, yet some code involved in PoD handling actually makes such an assumption. These operations are XENMEM_decrease_reservation (CVE-2021-28704) and XENMEM_populate_physmap (CVE-2021-28707), the latter usable only by domains controlling the guest, i.e. a de-privileged qemu or a stub domain. (Patch 1, combining the fix to both these two issues.) In addition handling of XENMEM_decrease_reservation can also trigger a host crash when the specified page order is neither 4k nor 2M nor 1G (CVE-2021-28708, patch 2). CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28707 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28708 CVE STATUS: Patched CVE SUMMARY: PoD operations on misaligned GFNs T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). The implementation of some of these hypercalls for PoD does not enforce the base page frame number to be suitably aligned for the specified order, yet some code involved in PoD handling actually makes such an assumption. These operations are XENMEM_decrease_reservation (CVE-2021-28704) and XENMEM_populate_physmap (CVE-2021-28707), the latter usable only by domains controlling the guest, i.e. a de-privileged qemu or a stub domain. (Patch 1, combining the fix to both these two issues.) In addition handling of XENMEM_decrease_reservation can also trigger a host crash when the specified page order is neither 4k nor 2M nor 1G (CVE-2021-28708, patch 2). CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28708 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28709 CVE STATUS: Patched CVE SUMMARY: issues with partially successful P2M updates on x86 T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode, to provide a way for them to later easily have more memory assigned. Guests are permitted to control certain P2M aspects of individual pages via hypercalls. These hypercalls may act on ranges of pages specified via page orders (resulting in a power-of-2 number of pages). In some cases the hypervisor carries out the requests by splitting them into smaller chunks. Error handling in certain PoD cases has been insufficient in that in particular partial success of some operations was not properly accounted for. There are two code paths affected - page removal (CVE-2021-28705) and insertion of new pages (CVE-2021-28709). (We provide one patch which combines the fix to both issues.) CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28709 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28710 CVE STATUS: Patched CVE SUMMARY: certain VT-d IOMMUs may not work in shared page table mode For efficiency reasons, address translation control structures (page tables) may (and, on suitable hardware, by default will) be shared between CPUs, for second-level translation (EPT), and IOMMUs. These page tables are presently set up to always be 4 levels deep. However, an IOMMU may require the use of just 3 page table levels. In such a configuration the lop level table needs to be stripped before inserting the root table's address into the hardware pagetable base register. When sharing page tables, Xen erroneously skipped this stripping. Consequently, the guest is able to write to leaf page table entries. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28710 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28711 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-391 Linux PV backends event flood; fix is in Linux CVE SUMMARY: Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713 CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28711 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28712 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-391 Linux PV backends; fix is in Linux CVE SUMMARY: Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713 CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28712 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-28713 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-391 Linux PV backends; fix is in Linux CVE SUMMARY: Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713 CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28713 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2021-3308 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Xen 4.12.3 through 4.12.4 and 4.13.1 through 4.14.x. An x86 HVM guest with PCI pass through devices can force the allocation of all IDT vectors on the system by rebooting itself with MSI or MSI-X capabilities enabled and entries setup. Such reboots will leak any vectors used by the MSI(-X) entries that the guest might had enabled, and hence will lead to vector exhaustion on the system, not allowing further PCI pass through devices to work properly. HVM guests with PCI pass through devices can mount a Denial of Service (DoS) attack affecting the pass through of PCI devices to other guests or the hardware domain. In the latter case, this would affect the entire host. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3308 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-21123 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-404 MMIO Stale Data; spec-ctrl=unpriv-mmio + FB_CLEAR present upstream CVE SUMMARY: Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-21123 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-21125 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-404 MMIO Stale Data CVE SUMMARY: Incomplete cleanup of microarchitectural fill buffers on some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-21125 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-21127 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-404 SRBDS Update; fixed by Intel CPU microcode alone, no Xen patch CVE SUMMARY: Incomplete cleanup in specific special register read operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-21127 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-21166 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-404 MMIO Stale Data CVE SUMMARY: Incomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-21166 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-23033 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-393 guest_physmap_remove_page (Arm) CVE SUMMARY: arm: guest_physmap_remove_page not removing the p2m mappings The functions to remove one or more entries from a guest p2m pagetable on Arm (p2m_remove_mapping, guest_physmap_remove_page, and p2m_set_entry with mfn set to INVALID_MFN) do not actually clear the pagetable entry if the entry doesn't have the valid bit set. It is possible to have a valid pagetable entry without the valid bit set when a guest operating system uses set/way cache maintenance instructions. For instance, a guest issuing a set/way cache maintenance instruction, then calling the XENMEM_decrease_reservation hypercall to give back memory pages to Xen, might be able to retain access to those pages even after Xen started reusing them for other purposes. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23033 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-23034 CVE STATUS: Patched CVE SUMMARY: A PV guest could DoS Xen while unmapping a grant To address XSA-380, reference counting was introduced for grant mappings for the case where a PV guest would have the IOMMU enabled. PV guests can request two forms of mappings. When both are in use for any individual mapping, unmapping of such a mapping can be requested in two steps. The reference count for such a mapping would then mistakenly be decremented twice. Underflow of the counters gets detected, resulting in the triggering of a hypervisor bug check. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23034 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-23035 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-395 passed-through device IRQ cleanup CVE SUMMARY: Insufficient cleanup of passed-through device IRQs The management of IRQs associated with physical devices exposed to x86 HVM guests involves an iterative operation in particular when cleaning up after the guest's use of the device. In the case where an interrupt is not quiescent yet at the time this cleanup gets invoked, the cleanup attempt may be scheduled to be retried. When multiple interrupts are involved, this scheduling of a retry may get erroneously skipped. At the same time pointers may get cleared (resulting in a de-reference of NULL) and freed (resulting in a use-after-free), while other code would continue to assume them to be valid. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 4.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23035 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-23036 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-396 Linux PV frontends; fix is in Linux CVE SUMMARY: Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23036 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-23037 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-396 Linux PV frontends; fix is in Linux CVE SUMMARY: Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23037 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-23038 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-396 Linux PV frontends; fix is in Linux CVE SUMMARY: Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23038 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-23039 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-396 Linux PV frontends; fix is in Linux CVE SUMMARY: Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23039 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-23040 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-396 Linux PV frontends; fix is in Linux CVE SUMMARY: Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23040 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-23041 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-396 Linux PV frontends; fix is in Linux CVE SUMMARY: Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23041 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-23042 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-396 Linux PV frontends; fix is in Linux CVE SUMMARY: Linux PV device frontends vulnerable to attacks by backends T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends: blkfront, netfront, scsifront and the gntalloc driver are testing whether a grant reference is still in use. If this is not the case, they assume that a following removal of the granted access will always succeed, which is not true in case the backend has mapped the granted page between those two operations. As a result the backend can keep access to the memory page of the guest no matter how the page will be used after the frontend I/O has finished. The xenbus driver has a similar problem, as it doesn't check the success of removing the granted access of a shared ring buffer. blkfront: CVE-2022-23036 netfront: CVE-2022-23037 scsifront: CVE-2022-23038 gntalloc: CVE-2022-23039 xenbus: CVE-2022-23040 blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, and pvcalls are using a functionality to delay freeing a grant reference until it is no longer in use, but the freeing of the related data page is not synchronized with dropping the granted access. As a result the backend can keep access to the memory page even after it has been freed and then re-used for a different purpose. CVE-2022-23041 netfront will fail a BUG_ON() assertion if it fails to revoke access in the rx path. This will result in a Denial of Service (DoS) situation of the guest which can be triggered by the backend. CVE-2022-23042 CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23042 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-23824 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-422 multiple speculative + IBPB (AMD) CVE SUMMARY: IBPB may not prevent return branch predictions from being specified by pre-IBPB branch targets leading to a potential information disclosure. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23824 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-23960 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-398 Spectre-BHB (xen/arch/arm/cpuerrata.c) CVE SUMMARY: Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23960 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-26356 CVE STATUS: Patched CVE SUMMARY: Racy interactions between dirty vram tracking and paging log dirty hypercalls Activation of log dirty mode done by XEN_DMOP_track_dirty_vram (was named HVMOP_track_dirty_vram before Xen 4.9) is racy with ongoing log dirty hypercalls. A suitably timed call to XEN_DMOP_track_dirty_vram can enable log dirty while another CPU is still in the process of tearing down the structures related to a previously enabled log dirty mode (XEN_DOMCTL_SHADOW_OP_OFF). This is due to lack of mutually exclusive locking between both operations and can lead to entries being added in already freed slots, resulting in a memory leak. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26356 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-26357 CVE STATUS: Patched CVE SUMMARY: race in VT-d domain ID cleanup Xen domain IDs are up to 15 bits wide. VT-d hardware may allow for only less than 15 bits to hold a domain ID associating a physical device with a particular domain. Therefore internally Xen domain IDs are mapped to the smaller value range. The cleaning up of the housekeeping structures has a race, allowing for VT-d domain IDs to be leaked and flushes to be bypassed. CVSS v2 BASE SCORE: 6.2 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26357 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-26358 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-400 IOMMU RMRR / AMD unity map CVE SUMMARY: IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26358 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-26359 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-400 IOMMU RMRR / AMD unity map CVE SUMMARY: IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26359 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-26360 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-400 IOMMU RMRR / AMD unity map CVE SUMMARY: IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26360 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-26361 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-400 IOMMU RMRR / AMD unity map CVE SUMMARY: IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. This requirement has been violated. Subsequent DMA or interrupts from the device may have unpredictable behaviour, ranging from IOMMU faults to memory corruption. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26361 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-26362 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-401 typeref acquisition race CVE SUMMARY: x86 pv: Race condition in typeref acquisition Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, the logic for acquiring a type reference has a race condition, whereby a safely TLB flush is issued too early and creates a window where the guest can re-establish the read/write mapping before writeability is prohibited. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 6.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26362 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-26363 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-402 non-coherent mappings CVE SUMMARY: x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, Xen's safety logic doesn't account for CPU-induced cache non-coherency; cases where the CPU can cause the content of the cache to be different to the content in main memory. In such cases, Xen's safety logic can incorrectly conclude that the contents of a page is safe. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26363 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-26364 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-402 non-coherent mappings CVE SUMMARY: x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, Xen's safety logic doesn't account for CPU-induced cache non-coherency; cases where the CPU can cause the content of the cache to be different to the content in main memory. In such cases, Xen's safety logic can incorrectly conclude that the contents of a page is safe. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26364 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-26365 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-403 Linux blkfront/netfront leaks; fix is in Linux CVE SUMMARY: Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26365 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-29900 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-407 Retbleed (AMD) CVE SUMMARY: Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution under certain microarchitecture-dependent conditions. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29900 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-29901 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-407 Intel covered by existing Spectre-v2 defaults (XSA-254 et al.); no new patch needed CVE SUMMARY: Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29901 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-33740 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-403 Linux frontends; fix is in Linux CVE SUMMARY: Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33740 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-33741 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-403 Linux frontends; fix is in Linux CVE SUMMARY: Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33741 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-33742 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-403 Linux frontends; fix is in Linux CVE SUMMARY: Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33742 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-33743 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-405 Linux netfront freed-SKB use; fix is in Linux CVE SUMMARY: network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33743 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-33745 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-408 shadow-mode TLB flush CVE SUMMARY: insufficient TLB flush for x86 PV guests in shadow mode For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable changing meaning / value between old and new code positions. The now wrong use of the variable did lead to a wrong TLB flush condition, omitting flushes where such are necessary. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33745 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-33746 CVE STATUS: Patched CVE SUMMARY: P2M pool freeing may take excessively long The P2M pool backing second level address translation for guests may be of significant size. Therefore its freeing may take more time than is reasonable without intermediate preemption checks. Such checking for the need to preempt was so far missing. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33746 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-33747 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-409 2nd-level pagetable bound (Arm) CVE SUMMARY: Arm: unbounded memory consumption for 2nd-level page tables Certain actions require e.g. removing pages from a guest's P2M (Physical-to-Machine) mapping. When large pages are in use to map guest pages in the 2nd-stage page tables, such a removal operation may incur a memory allocation (to replace a large mapping with individual smaller ones). These memory allocations are taken from the global memory pool. A malicious guest might be able to cause the global memory pool to be exhausted by manipulating its own P2M mappings. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33747 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-33748 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-411 transitive grant copy lock order CVE SUMMARY: lock order inversion in transitive grant copy handling As part of XSA-226 a missing cleanup call was inserted on an error handling path. While doing so, locking requirements were not paid attention to. As a result two cooperating guests granting each other transitive grants can cause locks to be acquired nested within one another, but in respectively opposite order. With suitable timing between the involved grant copy operations this may result in the locking up of a CPU. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33748 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-40982 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-435 Gather Data Sampling (Intel) CVE SUMMARY: Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40982 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42309 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-414 tools/xenstored CVE SUMMARY: Xenstore: Guests can crash xenstored Due to a bug in the fix of XSA-115 a malicious guest can cause xenstored to use a wrong pointer during node creation in an error path, resulting in a crash of xenstored or a memory corruption in xenstored causing further damage. Entering the error path can be controlled by the guest e.g. by exceeding the quota value of maximum nodes per domain. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42309 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42310 CVE STATUS: Patched CVE SUMMARY: Xenstore: Guests can create orphaned Xenstore nodes By creating multiple nodes inside a transaction resulting in an error, a malicious guest can create orphaned nodes in the Xenstore data base, as the cleanup after the error will not remove all nodes already created. When the transaction is committed after this situation, nodes without a valid parent can be made permanent in the data base. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42310 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42311 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-326 tools/xenstored CVE SUMMARY: Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42311 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42312 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-326 tools/xenstored CVE SUMMARY: Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42312 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42313 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-326 tools/xenstored CVE SUMMARY: Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42313 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42314 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-326 tools/xenstored CVE SUMMARY: Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42314 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42315 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-326 tools/xenstored CVE SUMMARY: Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42315 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42316 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-326 tools/xenstored CVE SUMMARY: Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42316 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42317 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-326 tools/xenstored CVE SUMMARY: Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42317 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42318 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-326 tools/xenstored CVE SUMMARY: Xenstore: guests can let run xenstored out of memory T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Malicious guests can cause xenstored to allocate vast amounts of memory, eventually resulting in a Denial of Service (DoS) of xenstored. There are multiple ways how guests can cause large memory allocations in xenstored: - - by issuing new requests to xenstored without reading the responses, causing the responses to be buffered in memory - - by causing large number of watch events to be generated via setting up multiple xenstore watches and then e.g. deleting many xenstore nodes below the watched path - - by creating as many nodes as allowed with the maximum allowed size and path length in as many transactions as possible - - by accessing many nodes inside a transaction CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42318 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42319 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-416 tools/xenstored CVE SUMMARY: Xenstore: Guests can cause Xenstore to not free temporary memory When working on a request of a guest, xenstored might need to allocate quite large amounts of memory temporarily. This memory is freed only after the request has been finished completely. A request is regarded to be finished only after the guest has read the response message of the request from the ring page. Thus a guest not reading the response can cause xenstored to not free the temporary memory. This can result in memory shortages causing Denial of Service (DoS) of xenstored. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42319 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42320 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-417 tools/xenstored CVE SUMMARY: Xenstore: Guests can get access to Xenstore nodes of deleted domains Access rights of Xenstore nodes are per domid. When a domain is gone, there might be Xenstore nodes left with access rights containing the domid of the removed domain. This is normally no problem, as those access right entries will be corrected when such a node is written later. There is a small time window when a new domain is created, where the access rights of a past domain with the same domid as the new one will be regarded to be still valid, leading to the new domain being able to get access to a node which was meant to be accessible by the removed domain. For this to happen another domain needs to write the node before the newly created domain is being introduced to Xenstore by dom0. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42320 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42321 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-418 tools/xenstored CVE SUMMARY: Xenstore: Guests can crash xenstored via exhausting the stack Xenstored is using recursion for some Xenstore operations (e.g. for deleting a sub-tree of Xenstore nodes). With sufficiently deep nesting levels this can result in stack exhaustion on xenstored, leading to a crash of xenstored. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42321 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42322 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-419 tools/xenstored CVE SUMMARY: Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Dom0. This will allow two malicious guests working together to create an arbitrary number of Xenstore nodes. This is possible by domain A letting domain B write into domain A's local Xenstore tree. Domain B can then create many nodes and reboot. The nodes created by domain B will now be owned by Dom0. By repeating this process over and over again an arbitrary number of nodes can be created, as Dom0's number of nodes isn't limited by Xenstore quota. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42322 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42323 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-419 tools/xenstored CVE SUMMARY: Xenstore: Cooperating guests can create arbitrary numbers of nodes T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Since the fix of XSA-322 any Xenstore node owned by a removed domain will be modified to be owned by Dom0. This will allow two malicious guests working together to create an arbitrary number of Xenstore nodes. This is possible by domain A letting domain B write into domain A's local Xenstore tree. Domain B can then create many nodes and reboot. The nodes created by domain B will now be owned by Dom0. By repeating this process over and over again an arbitrary number of nodes can be created, as Dom0's number of nodes isn't limited by Xenstore quota. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42323 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42324 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-420 tools/ocaml/xenstored 32->31 bit truncation CVE SUMMARY: Oxenstored 32->31 bit integer truncation issues Integers in Ocaml are 63 or 31 bits of signed precision. The Ocaml Xenbus library takes a C uint32_t out of the ring and casts it directly to an Ocaml integer. In 64-bit Ocaml builds this is fine, but in 32-bit builds, it truncates off the most significant bit, and then creates unsigned/signed confusion in the remainder. This in turn can feed a negative value into logic not expecting a negative value, resulting in unexpected exceptions being thrown. The unexpected exception is not handled suitably, creating a busy-loop trying (and failing) to take the bad packet out of the xenstore ring. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42324 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42325 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-421 tools/xenstored CVE SUMMARY: Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encountered only when handling the deleted node at transaction finalization, the transaction will have been performed partially and without updating the accounting information. This will enable a malicious guest to create arbitrary number of nodes. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42325 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42326 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-421 tools/xenstored CVE SUMMARY: Xenstore: Guests can create arbitrary number of nodes via transactions T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] In case a node has been created in a transaction and it is later deleted in the same transaction, the transaction will be terminated with an error. As this error is encountered only when handling the deleted node at transaction finalization, the transaction will have been performed partially and without updating the accounting information. This will enable a malicious guest to create arbitrary number of nodes. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42326 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42327 CVE STATUS: Patched CVE SUMMARY: x86: unintended memory sharing between guests On Intel systems that support the "virtualize APIC accesses" feature, a guest can read and write the global shared xAPIC page by moving the local APIC out of xAPIC mode. Access to this shared page bypasses the expected isolation that should exist between two guests. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42327 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42330 CVE STATUS: Patched CVE SUMMARY: Guests can cause Xenstore crash via soft reset When a guest issues a "Soft Reset" (e.g. for performing a kexec) the libxl based Xen toolstack will normally perform a XS_RELEASE Xenstore operation. Due to a bug in xenstored this can result in a crash of xenstored. Any other use of XS_RELEASE will have the same impact. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42330 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42331 CVE STATUS: Patched CVE SUMMARY: x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42331 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42332 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-427 shadow + log-dirty UAF CVE SUMMARY: x86 shadow plus log-dirty mode use-after-free In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Shadow mode maintains a pool of memory used for both shadow page tables as well as auxiliary data structures. To migrate or snapshot guests, Xen additionally runs them in so called log-dirty mode. The data structures needed by the log-dirty tracking are part of aformentioned auxiliary data. In order to keep error handling efforts within reasonable bounds, for operations which may require memory allocations shadow mode logic ensures up front that enough memory is available for the worst case requirements. Unfortunately, while page table memory is properly accounted for on the code path requiring the potential establishing of new shadows, demands by the log-dirty infrastructure were not taken into consideration. As a result, just established shadow page tables could be freed again immediately, while other code is still accessing them on the assumption that they would remain allocated. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42332 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42333 CVE STATUS: Patched CVE SUMMARY: x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. While not exposed to the affected guests themselves, the interface specifically exists for domains controlling such guests. This interface may therefore be used by not fully privileged entities, e.g. qemu running deprivileged in Dom0 or qemu running in a so called stub-domain. With this exposure it is an issue that - the number of the such controlled regions was unbounded (CVE-2022-42333), - installation and removal of such regions was not properly serialized (CVE-2022-42334). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42333 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42334 CVE STATUS: Patched CVE SUMMARY: x86/HVM pinned cache attributes mis-handling T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] To allow cachability control for HVM guests with passed through devices, an interface exists to explicitly override defaults which would otherwise be put in place. While not exposed to the affected guests themselves, the interface specifically exists for domains controlling such guests. This interface may therefore be used by not fully privileged entities, e.g. qemu running deprivileged in Dom0 or qemu running in a so called stub-domain. With this exposure it is an issue that - the number of the such controlled regions was unbounded (CVE-2022-42333), - installation and removal of such regions was not properly serialized (CVE-2022-42334). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42334 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42335 CVE STATUS: Patched CVE SUMMARY: x86 shadow paging arbitrary pointer dereference In environments where host assisted address translation is necessary but Hardware Assisted Paging (HAP) is unavailable, Xen will run guests in so called shadow mode. Due to too lax a check in one of the hypervisor routines used for shadow page handling it is possible for a guest with a PCI device passed through to cause the hypervisor to access an arbitrary pointer partially under guest control. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42335 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-42336 CVE STATUS: Patched CVE SUMMARY: Mishandling of guest SSBD selection on AMD hardware The current logic to set SSBD on AMD Family 17h and Hygon Family 18h processors requires that the setting of SSBD is coordinated at a core level, as the setting is shared between threads. Logic was introduced to keep track of how many threads require SSBD active in order to coordinate it, such logic relies on using a per-core counter of threads that have SSBD active. When running on the mentioned hardware, it's possible for a guest to under or overflow the thread counter, because each write to VIRT_SPEC_CTRL.SSBD by the guest gets propagated to the helper that does the per-core active accounting. Underflowing the counter causes the value to get saturated, and thus attempts for guests running on the same core to set SSBD won't have effect because the hypervisor assumes it's already active. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42336 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2022-4949 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-443 tools/libs/fsimage + pygrub deprivileged mode CVE SUMMARY: The AdSanity plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_upload' function in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers with Contributor+ level privileges to upload arbitrary files on the affected sites server which makes remote code execution possible. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4949 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2023-20588 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-439 divide speculative leak (AMD) CVE SUMMARY: A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.  CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20588 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2023-20593 CVE STATUS: Patched CVE SUMMARY: An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-20593 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2023-34319 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-432 Linux netback overrun; fix is in Linux CVE SUMMARY: The fix for XSA-423 added logic to Linux'es netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately the logic introduced there didn't account for the extreme case of the entire packet being split into as many pieces as permitted by the protocol, yet still being smaller than the area that's specially dealt with to keep all (possible) headers together. Such an unusual packet would therefore trigger a buffer overrun in the driver. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34319 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2023-34320 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-436 Cortex-A77 deadlock (Arm) CVE SUMMARY: Cortex-A77 cores (r0p0 and r1p0) are affected by erratum 1508412 where software, under certain circumstances, could deadlock a core due to the execution of either a load to device or non-cacheable memory, and either a store exclusive or register read of the Physical Address Register (PAR_EL1) in close proximity. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34320 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2023-34321 CVE STATUS: Patched CVE SUMMARY: Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes (such as the ones during scrubbing) have reached memory before handing over the page to a guest. Unfortunately, the arithmetics in the helpers can overflow and would then result to skip the cache cleaning/invalidation. Therefore there is no guarantee when all the writes will reach the memory. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34321 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2023-34322 CVE STATUS: Patched CVE SUMMARY: For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. Since Xen itself needs to be mapped when PV guests run, Xen and shadowed PV guests run directly the respective shadow page tables. For 64-bit PV guests this means running on the shadow of the guest root page table. In the course of dealing with shortage of memory in the shadow pool associated with a domain, shadows of page tables may be torn down. This tearing down may include the shadow root page table that the CPU in question is presently running on. While a precaution exists to supposedly prevent the tearing down of the underlying live page table, the time window covered by that precaution isn't large enough. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34322 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2023-34323 CVE STATUS: Patched CVE SUMMARY: When a transaction is committed, C Xenstored will first check the quota is correct before attempting to commit any nodes. It would be possible that accounting is temporarily negative if a node has been removed outside of the transaction. Unfortunately, some versions of C Xenstored are assuming that the quota cannot be negative and are using assert() to confirm it. This will lead to C Xenstored crash when tools are built without -DNDEBUG (this is the default). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34323 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2023-34324 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: XSA-441 Linux event-channel deadlock; fix is in Linux CVE SUMMARY: Closing of an event channel in the Linux kernel can result in a deadlock. This happens when the close is being performed in parallel to an unrelated Xen console action and the handling of a Xen console interrupt in an unprivileged guest. The closing of an event channel is e.g. triggered by removal of a paravirtual device on the other side. As this action will cause console messages to be issued on the other side quite often, the chance of triggering the deadlock is not neglectable. Note that 32-bit Arm-guests are not affected, as the 32-bit Linux kernel on Arm doesn't use queued-RW-locks, which are required to trigger the issue (on Arm32 a waiting writer doesn't block further readers to get the lock). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34324 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2023-34325 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-443 tools/libs/fsimage + pygrub deprivileged mode CVE SUMMARY: [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] libfsimage contains parsing code for several filesystems, most of them based on grub-legacy code. libfsimage is used by pygrub to inspect guest disks. Pygrub runs as the same user as the toolstack (root in a priviledged domain). At least one issue has been reported to the Xen Security Team that allows an attacker to trigger a stack buffer overflow in libfsimage. After further analisys the Xen Security Team is no longer confident in the suitability of libfsimage when run against guest controlled input with super user priviledges. In order to not affect current deployments that rely on pygrub patches are provided in the resolution section of the advisory that allow running pygrub in deprivileged mode. CVE-2023-4949 refers to the original issue in the upstream grub project ("An attacker with local access to a system (either through a disk or external drive) can present a modified XFS partition to grub-legacy in such a way to exploit a memory corruption in grub’s XFS file system implementation.") CVE-2023-34325 refers specifically to the vulnerabilities in Xen's copy of libfsimage, which is decended from a very old version of grub. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34325 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2023-34326 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-442 IOMMU TLB flushing (AMD) CVE SUMMARY: The caching invalidation guidelines from the AMD-Vi specification (48882—Rev 3.07-PUB—Oct 2022) is incorrect on some hardware, as devices will malfunction (see stale DMA mappings) if some fields of the DTE are updated but the IOMMU TLB is not flushed. Such stale DMA mappings can point to memory ranges not owned by the guest, thus allowing access to unindented memory regions. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34326 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2023-34327 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-444 Debug Mask handling (AMD) CVE SUMMARY: [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34327 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2023-34328 CVE STATUS: Patched CVE SUMMARY: [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] AMD CPUs since ~2014 have extensions to normal x86 debugging functionality. Xen supports guests using these extensions. Unfortunately there are errors in Xen's handling of the guest state, leading to denials of service. 1) CVE-2023-34327 - An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state. 2) CVE-2023-34328 - A PV vCPU can place a breakpoint over the live GDT. This allows the PV vCPU to exploit XSA-156 / CVE-2015-8104 and lock up the CPU entirely. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34328 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2023-46835 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-445 IOMMU quarantine PT levels (AMD) CVE SUMMARY: The current setup of the quarantine page tables assumes that the quarantine domain (dom_io) has been initialized with an address width of DEFAULT_DOMAIN_ADDRESS_WIDTH (48) and hence 4 page table levels. However dom_io being a PV domain gets the AMD-Vi IOMMU page tables levels based on the maximum (hot pluggable) RAM address, and hence on systems with no RAM above the 512GB mark only 3 page-table levels are configured in the IOMMU. On systems without RAM above the 512GB boundary amd_iommu_quarantine_init() will setup page tables for the scratch page with 4 levels, while the IOMMU will be configured to use 3 levels only, resulting in the last page table directory (PDE) effectively becoming a page table entry (PTE), and hence a device in quarantine mode gaining write access to the page destined to be a PDE. Due to this page table level mismatch, the sink page the device gets read/write access to is no longer cleared between device assignment, possibly leading to data leaks. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-46835 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2023-46836 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-446 BTC/SRSO completeness (AMD) CVE SUMMARY: The fixes for XSA-422 (Branch Type Confusion) and XSA-434 (Speculative Return Stack Overflow) are not IRQ-safe. It was believed that the mitigations always operated in contexts with IRQs disabled. However, the original XSA-254 fix for Meltdown (XPTI) deliberately left interrupts enabled on two entry paths; one unconditionally, and one conditionally on whether XPTI was active. As BTC/SRSO and Meltdown affect different CPU vendors, the mitigations are not active together by default. Therefore, there is a race condition whereby a malicious PV guest can bypass BTC/SRSO protections and launch a BTC/SRSO attack against Xen. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-46836 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2023-46837 CVE STATUS: Patched CVE SUMMARY: Arm provides multiple helpers to clean & invalidate the cache for a given region. This is, for instance, used when allocating guest memory to ensure any writes (such as the ones during scrubbing) have reached memory before handing over the page to a guest. Unfortunately, the arithmetics in the helpers can overflow and would then result to skip the cache cleaning/invalidation. Therefore there is no guarantee when all the writes will reach the memory. This undefined behavior was meant to be addressed by XSA-437, but the approach was not sufficient. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-46837 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2023-46839 CVE STATUS: Unpatched CVE SUMMARY: PCI devices can make use of a functionality called phantom functions, that when enabled allows the device to generate requests using the IDs of functions that are otherwise unpopulated. This allows a device to extend the number of outstanding requests. Such phantom functions need an IOMMU context setup, but failure to setup the context is not fatal when the device is assigned. Not failing device assignment when such failure happens can lead to the primary device being assigned to a guest, while some of the phantom functions are assigned to a different domain. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-46839 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2023-46840 CVE STATUS: Unpatched CVE SUMMARY: Incorrect placement of a preprocessor directive in source code results in logic that doesn't operate as intended when support for HVM guests is compiled out of Xen. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-46840 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2023-46841 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-451 shadow stack vs emulation-stub exceptions CVE SUMMARY: Recent x86 CPUs offer functionality named Control-flow Enforcement Technology (CET). A sub-feature of this are Shadow Stacks (CET-SS). CET-SS is a hardware feature designed to protect against Return Oriented Programming attacks. When enabled, traditional stacks holding both data and return addresses are accompanied by so called "shadow stacks", holding little more than return addresses. Shadow stacks aren't writable by normal instructions, and upon function returns their contents are used to check for possible manipulation of a return address coming from the traditional stack. In particular certain memory accesses need intercepting by Xen. In various cases the necessary emulation involves kind of replaying of the instruction. Such replaying typically involves filling and then invoking of a stub. Such a replayed instruction may raise an exceptions, which is expected and dealt with accordingly. Unfortunately the interaction of both of the above wasn't right: Recovery involves removal of a call frame from the (traditional) stack. The counterpart of this operation for the shadow stack was missing. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-46841 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2023-46842 CVE STATUS: Unpatched CVE SUMMARY: Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and other modes. This in particular means that they may set registers used to pass 32-bit-mode hypercall arguments to values outside of the range 32-bit code would be able to set them to. When processing of hypercalls takes a considerable amount of time, the hypervisor may choose to invoke a hypercall continuation. Doing so involves putting (perhaps updated) hypercall arguments in respective registers. For guests not running in 64-bit mode this further involves a certain amount of translation of the values. Unfortunately internal sanity checking of these translated values assumes high halves of registers to always be clear when invoking a hypercall. When this is found not to be the case, it triggers a consistency check in the hypervisor and causes a crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-46842 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2023-4949 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: XSA-443 upstream GRUB issue mirrored in libfsimage; covered by deprivileged-pygrub work upstream CVE SUMMARY: An attacker with local access to a system (either through a disk or external drive) can present a modified XFS partition to grub-legacy in such a way to exploit a memory corruption in grub’s XFS file system implementation. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4949 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2024-31142 CVE STATUS: Patched CVE SUMMARY: Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-31142 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2024-31143 CVE STATUS: Unpatched CVE SUMMARY: An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different situations, with or without a particular lock held. This error path wrongly releases the lock even when it is not currently held. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-31143 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2024-31145 CVE STATUS: Unpatched CVE SUMMARY: Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren't supposed to have access to. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-31145 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2024-31146 CVE STATUS: Unpatched CVE SUMMARY: When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-31146 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2024-45817 CVE STATUS: Unpatched CVE SUMMARY: In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, which generates an error when an error interrupt is raised. This case causes Xen to recurse through vlapic_error(). The recursion itself is bounded; errors accumulate in the the status register and only generate an interrupt when a new status bit becomes set. However, the lock protecting this state in Xen will try to be taken recursively, and deadlock. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45817 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2024-45818 CVE STATUS: Patched CVE SUMMARY: The hypervisor contains code to accelerate VGA memory accesses for HVM guests, when the (virtual) VGA is in "standard" mode. Locking involved there has an unusual discipline, leaving a lock acquired past the return from the function that acquired it. This behavior results in a problem when emulating an instruction with two memory accesses, both of which touch VGA memory (plus some further constraints which aren't relevant here). When emulating the 2nd access, the lock that is already being held would be attempted to be re-acquired, resulting in a deadlock. This deadlock was already found when the code was first introduced, but was analysed incorrectly and the fix was incomplete. Analysis in light of the new finding cannot find a way to make the existing locking discipline work. In staging, this logic has all been removed because it was discovered to be accidentally disabled since Xen 4.7. Therefore, we are fixing the locking problem by backporting the removal of most of the feature. Note that even with the feature disabled, the lock would still be acquired for any accesses to the VGA MMIO region. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45818 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2024-45819 CVE STATUS: Unpatched CVE SUMMARY: PVH guests have their ACPI tables constructed by the toolstack. The construction involves building the tables in local memory, which are then copied into guest memory. While actually used parts of the local memory are filled in correctly, excess space that is being allocated is left with its prior contents. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45819 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2025-1713 CVE STATUS: Unpatched CVE SUMMARY: When setting up interrupt remapping for legacy PCI(-X) devices, including PCI(-X) bridges, a lookup of the upstream bridge is required. This lookup, itself involving acquiring of a lock, is done in a context where acquiring that lock is unsafe. This can lead to a deadlock. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-1713 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2025-27465 CVE STATUS: Unpatched CVE SUMMARY: Certain instructions need intercepting and emulating by Xen. In some cases Xen emulates the instruction by replaying it, using an executable stub. Some instructions may raise an exception, which is supposed to be handled gracefully. Certain replayed instructions have additional logic to set up and recover the changes to the arithmetic flags. For replayed instructions where the flags recovery logic is used, the metadata for exception handling was incorrect, preventing Xen from handling the the exception gracefully, treating it as fatal instead. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-27465 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2025-27466 CVE STATUS: Patched CVE SUMMARY: [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-27466 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2025-58142 CVE STATUS: Patched CVE SUMMARY: [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-58142 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2025-58143 CVE STATUS: Patched CVE SUMMARY: [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple issues related to the handling and accessing of guest memory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-58143 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2025-58144 CVE STATUS: Patched CVE SUMMARY: [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are two issues related to the mapping of pages belonging to other domains: For one, an assertion is wrong there, where the case actually needs handling. A NULL pointer de-reference could result on a release build. This is CVE-2025-58144. And then the P2M lock isn't held until a page reference was actually obtained (or the attempt to do so has failed). Otherwise the page can not only change type, but even ownership in between, thus allowing domain boundaries to be violated. This is CVE-2025-58145. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-58144 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2025-58145 CVE STATUS: Patched CVE SUMMARY: [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are two issues related to the mapping of pages belonging to other domains: For one, an assertion is wrong there, where the case actually needs handling. A NULL pointer de-reference could result on a release build. This is CVE-2025-58144. And then the P2M lock isn't held until a page reference was actually obtained (or the attempt to do so has failed). Otherwise the page can not only change type, but even ownership in between, thus allowing domain boundaries to be violated. This is CVE-2025-58145. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-58145 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2025-58147 CVE STATUS: Unpatched CVE SUMMARY: [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in one of three formats. Xen has boundary checking bugs with all three formats, which can cause out-of-bounds reads and writes while processing the inputs. * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can cause vpmask_set() to write out of bounds when converting the bitmap to Xen's format. * CVE-2025-58148. Hypercalls using any input format can cause send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild vCPU pointer. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-58147 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2025-58148 CVE STATUS: Unpatched CVE SUMMARY: [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Some Viridian hypercalls can specify a mask of vCPU IDs as an input, in one of three formats. Xen has boundary checking bugs with all three formats, which can cause out-of-bounds reads and writes while processing the inputs. * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can cause vpmask_set() to write out of bounds when converting the bitmap to Xen's format. * CVE-2025-58148. Hypercalls using any input format can cause send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild vCPU pointer. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-58148 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2025-58149 CVE STATUS: Unpatched CVE SUMMARY: When passing through PCI devices, the detach logic in libxl won't remove access permissions to any 64bit memory BARs the device might have. As a result a domain can still have access any 64bit memory BAR when such device is no longer assigned to the domain. For PV domains the permission leak allows the domain itself to map the memory in the page-tables. For HVM it would require a compromised device model or stubdomain to map the leaked memory into the HVM domain p2m. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-58149 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2025-58150 CVE STATUS: Unpatched CVE SUMMARY: Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-58150 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2026-23553 CVE STATUS: Unpatched CVE SUMMARY: In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1's training still in the BTB. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 2.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-23553 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2026-23554 CVE STATUS: Unpatched CVE SUMMARY: The Intel EPT paging code uses an optimization to defer flushing of any cached EPT state until the p2m lock is dropped, so that multiple modifications done under the same locked region only issue a single flush. Freeing of paging structures however is not deferred until the flushing is done, and can result in freed pages transiently being present in cached state. Such stale entries can point to memory ranges not owned by the guest, thus allowing access to unintended memory regions. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-23554 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2026-23555 CVE STATUS: Unpatched CVE SUMMARY: Any guest issuing a Xenstore command accessing a node using the (illegal) node path "/local/domain/", will crash xenstored due to a clobbered error indicator in xenstored when verifying the node path. Note that the crash is forced via a failing assert() statement in xenstored. In case xenstored is being built with NDEBUG #defined, an unprivileged guest trying to access the node path "/local/domain/" will result in it no longer being serviced by xenstored, other guests (including dom0) will still be serviced, but xenstored will use up all cpu time it can get. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-23555 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2026-23557 CVE STATUS: Unpatched CVE SUMMARY: Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES command within a transaction due to an assert() triggering. In case xenstored was built with NDEBUG #defined nothing bad will happen, as assert() is doing nothing in this case. Note that the default is not to define NDEBUG for xenstored builds even in release builds of Xen. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-23557 LAYER: meta-xilinx-virtualization PACKAGE NAME: xen PACKAGE VERSION: 4.21.0+stable-xilinx+git CVE: CVE-2026-23558 CVE STATUS: Unpatched CVE SUMMARY: The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status page(s) via XENMEM_add_to_physmap. Some of the status pages may then be freed while mappings of them would still be inserted into the guest's secondary (P2M) page tables. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-23558 LAYER: meta PACKAGE NAME: libtool PACKAGE VERSION: 2.4.7 CVE: CVE-2004-0256 CVE STATUS: Patched CVE SUMMARY: GNU libtool before 1.5.2, during compile time, allows local users to overwrite arbitrary files via a symlink attack on libtool directories in /tmp. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0256 LAYER: meta PACKAGE NAME: libtool PACKAGE VERSION: 2.4.7 CVE: CVE-2009-3736 CVE STATUS: Patched CVE SUMMARY: ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, as used in Ham Radio Control Libraries, Q, and possibly other products, attempts to open a .la file in the current working directory, which allows local users to gain privileges via a Trojan horse file. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3736 LAYER: meta PACKAGE NAME: libbsd PACKAGE VERSION: 0.12.1 CVE: CVE-2016-2090 CVE STATUS: Patched CVE SUMMARY: Off-by-one vulnerability in the fgetwln function in libbsd before 0.8.2 allows attackers to have unspecified impact via unknown vectors, which trigger a heap-based buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2090 LAYER: meta PACKAGE NAME: libbsd PACKAGE VERSION: 0.12.1 CVE: CVE-2019-20367 CVE STATUS: Patched CVE SUMMARY: nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison for a symbol name from the string table (strtab). CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20367 LAYER: meta PACKAGE NAME: gdb PACKAGE VERSION: 14.2 CVE: CVE-2005-1704 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the Binary File Descriptor (BFD) library for gdb before 6.3, binutils, elfutils, and possibly other packages, allows user-assisted attackers to execute arbitrary code via a crafted object file that specifies a large number of section headers, leading to a heap-based buffer overflow. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1704 LAYER: meta PACKAGE NAME: gdb PACKAGE VERSION: 14.2 CVE: CVE-2005-1705 CVE STATUS: Patched CVE SUMMARY: gdb before 6.3 searches the current working directory to load the .gdbinit configuration file, which allows local users to execute arbitrary commands as the user running gdb. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1705 LAYER: meta PACKAGE NAME: gdb PACKAGE VERSION: 14.2 CVE: CVE-2006-4146 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the (1) DWARF (dwarfread.c) and (2) DWARF2 (dwarf2read.c) debugging code in GNU Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to execute arbitrary code via a crafted file with a location block (DW_FORM_block) that contains a large number of operations. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4146 LAYER: meta PACKAGE NAME: gdb PACKAGE VERSION: 14.2 CVE: CVE-2011-4355 CVE STATUS: Patched CVE SUMMARY: GNU Project Debugger (GDB) before 7.5, when .debug_gdb_scripts is defined, automatically loads certain files from the current working directory, which allows local users to gain privileges via crafted files such as Python scripts. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4355 LAYER: meta PACKAGE NAME: gdb PACKAGE VERSION: 14.2 CVE: CVE-2017-9778 CVE STATUS: Patched CVE SUMMARY: GNU Debugger (GDB) 8.0 and earlier fails to detect a negative length field in a DWARF section. A malformed section in an ELF binary or a core file can cause GDB to repeatedly allocate memory until a process limit is reached. This can, for example, impede efforts to analyze malware with GDB. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9778 LAYER: meta PACKAGE NAME: gdb PACKAGE VERSION: 14.2 CVE: CVE-2019-1010180 CVE STATUS: Patched CVE SUMMARY: GNU gdb All versions is affected by: Buffer Overflow - Out of bound memory access. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution. The component is: The main gdb module. The attack vector is: Open an ELF for debugging. The fixed version is: Not fixed yet. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010180 LAYER: meta PACKAGE NAME: gdb PACKAGE VERSION: 14.2 CVE: CVE-2023-39128 CVE STATUS: Patched CVE SUMMARY: GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a stack overflow via the function ada_decode at /gdb/ada-lang.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-39128 LAYER: meta PACKAGE NAME: gdb PACKAGE VERSION: 14.2 CVE: CVE-2023-39129 CVE STATUS: Patched CVE SUMMARY: GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap use after free via the function add_pe_exported_sym() at /gdb/coff-pe-read.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-39129 LAYER: meta PACKAGE NAME: gdb PACKAGE VERSION: 14.2 CVE: CVE-2023-39130 CVE STATUS: Patched CVE SUMMARY: GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap buffer overflow via the function pe_as16() at /gdb/coff-pe-read.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-39130 LAYER: meta PACKAGE NAME: libwebp PACKAGE VERSION: 1.3.2 CVE: CVE-2016-9085 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in libwebp allows attackers to have unspecified impact via unknown vectors. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9085 LAYER: meta PACKAGE NAME: libwebp PACKAGE VERSION: 1.3.2 CVE: CVE-2016-9969 CVE STATUS: Patched CVE SUMMARY: In libwebp 0.5.1, there is a double free bug in libwebpmux. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9969 LAYER: meta PACKAGE NAME: libwebp PACKAGE VERSION: 1.3.2 CVE: CVE-2018-25009 CVE STATUS: Patched CVE SUMMARY: A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE16(). CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25009 LAYER: meta PACKAGE NAME: libwebp PACKAGE VERSION: 1.3.2 CVE: CVE-2018-25010 CVE STATUS: Patched CVE SUMMARY: A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ApplyFilter(). CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25010 LAYER: meta PACKAGE NAME: libwebp PACKAGE VERSION: 1.3.2 CVE: CVE-2018-25011 CVE STATUS: Patched CVE SUMMARY: A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in PutLE16(). CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25011 LAYER: meta PACKAGE NAME: libwebp PACKAGE VERSION: 1.3.2 CVE: CVE-2018-25012 CVE STATUS: Patched CVE SUMMARY: A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in GetLE24(). CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25012 LAYER: meta PACKAGE NAME: libwebp PACKAGE VERSION: 1.3.2 CVE: CVE-2018-25013 CVE STATUS: Patched CVE SUMMARY: A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ShiftBytes(). CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25013 LAYER: meta PACKAGE NAME: libwebp PACKAGE VERSION: 1.3.2 CVE: CVE-2018-25014 CVE STATUS: Patched CVE SUMMARY: A use of uninitialized value was found in libwebp in versions before 1.0.1 in ReadSymbol(). CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25014 LAYER: meta PACKAGE NAME: libwebp PACKAGE VERSION: 1.3.2 CVE: CVE-2020-36328 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libwebp in versions before 1.0.1. A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36328 LAYER: meta PACKAGE NAME: libwebp PACKAGE VERSION: 1.3.2 CVE: CVE-2020-36329 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libwebp in versions before 1.0.1. A use-after-free was found due to a thread being killed too early. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36329 LAYER: meta PACKAGE NAME: libwebp PACKAGE VERSION: 1.3.2 CVE: CVE-2020-36330 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkVerifyAndAssign. The highest threat from this vulnerability is to data confidentiality and to the service availability. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36330 LAYER: meta PACKAGE NAME: libwebp PACKAGE VERSION: 1.3.2 CVE: CVE-2020-36331 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkAssignData. The highest threat from this vulnerability is to data confidentiality and to the service availability. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36331 LAYER: meta PACKAGE NAME: libwebp PACKAGE VERSION: 1.3.2 CVE: CVE-2020-36332 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libwebp in versions before 1.0.1. When reading a file libwebp allocates an excessive amount of memory. The highest threat from this vulnerability is to the service availability. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36332 LAYER: meta PACKAGE NAME: libwebp PACKAGE VERSION: 1.3.2 CVE: CVE-2023-1999 CVE STATUS: Patched CVE SUMMARY: There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1999 LAYER: meta PACKAGE NAME: libwebp PACKAGE VERSION: 1.3.2 CVE: CVE-2023-4863 CVE STATUS: Patched CVE SUMMARY: Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical) CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4863 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-1999-0473 CVE STATUS: Patched CVE SUMMARY: The rsync command before rsync 2.3.1 may inadvertently change the permissions of the client's working directory to the permissions of the directory being transferred. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0473 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2002-0048 CVE STATUS: Patched CVE SUMMARY: Multiple signedness errors (mixed signed and unsigned numbers) in the I/O functions of rsync 2.4.6, 2.3.2, and other versions allow remote attackers to cause a denial of service and execute arbitrary code in the rsync client or server. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0048 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2002-0080 CVE STATUS: Patched CVE SUMMARY: rsync, when running in daemon mode, does not properly call setgroups before dropping privileges, which could provide supplemental group privileges to local users, who could then read certain files that would otherwise be disallowed. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0080 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2003-0962 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in rsync before 2.5.7, when running in server mode, allows remote attackers to execute arbitrary code and possibly escape the chroot jail. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0962 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2004-0426 CVE STATUS: Patched CVE SUMMARY: rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0426 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2004-0792 CVE STATUS: Patched CVE SUMMARY: Directory traversal vulnerability in the sanitize_path function in util.c for rsync 2.6.2 and earlier, when chroot is disabled, allows attackers to read or write certain files. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0792 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2006-2083 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the receive_xattr function in the extended attributes patch (xattr.c) for rsync before 2.6.8 might allow attackers to execute arbitrary code via crafted extended attributes that trigger a buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2083 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2007-4091 CVE STATUS: Patched CVE SUMMARY: Multiple off-by-one errors in the sender.c in rsync 2.6.9 might allow remote attackers to execute arbitrary code via directory names that are not properly handled when calling the f_name function. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4091 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2007-6199 CVE STATUS: Patched CVE SUMMARY: rsync before 3.0.0pre6, when running a writable rsync daemon that is not using chroot, allows remote attackers to access restricted files via unknown vectors that cause rsync to create a symlink that points outside of the module's hierarchy. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6199 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2007-6200 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in rsync before 3.0.0pre6, when running a writable rsync daemon, allows remote attackers to bypass exclude, exclude_from, and filter and read or write hidden files via (1) symlink, (2) partial-dir, (3) backup-dir, and unspecified (4) dest options. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6200 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2008-1720 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in rsync 2.6.9 to 3.0.1, with extended attribute (xattr) support enabled, might allow remote attackers to execute arbitrary code via unknown vectors. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1720 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2011-1097 CVE STATUS: Patched CVE SUMMARY: rsync 3.x before 3.0.8, when certain recursion, deletion, and ownership options are used, allows remote rsync servers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via malformed data. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1097 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2014-2855 CVE STATUS: Patched CVE SUMMARY: The check_secret function in authenticate.c in rsync 3.1.0 and earlier allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a user name which does not exist in the secrets file. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2855 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2014-9512 CVE STATUS: Patched CVE SUMMARY: rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9512 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2017-15994 CVE STATUS: Patched CVE SUMMARY: rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the code has been copied for use in various GitHub projects. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15994 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2017-16548 CVE STATUS: Patched CVE SUMMARY: The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact by sending crafted data to the daemon. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16548 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2017-17433 CVE STATUS: Patched CVE SUMMARY: The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17433 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2017-17434 CVE STATUS: Patched CVE SUMMARY: The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in "xname follows" strings (in the read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17434 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2018-5764 CVE STATUS: Patched CVE SUMMARY: The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attackers to bypass an argument-sanitization protection mechanism. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5764 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2020-14387 CVE STATUS: Patched CVE SUMMARY: A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote, unauthenticated attacker could exploit the flaw by performing a man-in-the-middle attack using a valid certificate for another hostname which could compromise confidentiality and integrity of data transmitted using rsync-ssl. The highest threat from this vulnerability is to data confidentiality and integrity. This flaw affects rsync versions before 3.2.4. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14387 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2022-29154 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29154 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2024-12084 CVE STATUS: Patched CVE SUMMARY: A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-12084 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2024-12085 CVE STATUS: Patched CVE SUMMARY: A flaw was found in rsync which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-12085 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2024-12086 CVE STATUS: Patched CVE SUMMARY: A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server. By sending specially constructed checksum values for arbitrary files, an attacker may be able to reconstruct the data of those files byte-by-byte based on the responses from the client. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-12086 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2024-12087 CVE STATUS: Patched CVE SUMMARY: A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-12087 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2024-12088 CVE STATUS: Patched CVE SUMMARY: A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-12088 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2024-12747 CVE STATUS: Patched CVE SUMMARY: A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-12747 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2025-10158 CVE STATUS: Patched CVE SUMMARY: A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-10158 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2026-29518 CVE STATUS: Unpatched CVE SUMMARY: Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 7.3 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-29518 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2026-41035 CVE STATUS: Unpatched CVE SUMMARY: In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-41035 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2026-43617 CVE STATUS: Unpatched CVE SUMMARY: Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing connections from hostnames that administrators intended to deny when reverse DNS resolution fails and defaults to UNKNOWN. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.8 CVSS v4 BASE SCORE: 6.3 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-43617 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2026-43618 CVE STATUS: Unpatched CVE SUMMARY: Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended buffer bounds. Attackers can exploit this vulnerability to disclose process memory contents including environment variables, passwords, heap and stack data, and library memory pointers, significantly reducing ASLR effectiveness and facilitating further exploitation. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 6.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-43618 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2026-43619 CVE STATUS: Unpatched CVE SUMMARY: Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 7.2 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-43619 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2026-43620 CVE STATUS: Unpatched CVE SUMMARY: Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CF_INC_RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM_TRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 6.9 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-43620 LAYER: meta PACKAGE NAME: rsync PACKAGE VERSION: 3.2.7 CVE: CVE-2026-45232 CVE STATUS: Unpatched CVE SUMMARY: Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in socket.c that allows network attackers to corrupt stack memory by sending a malformed HTTP proxy response. Attackers can exploit this by positioning themselves between the client and proxy or controlling the proxy server to send a response line of 1023 or more bytes without a newline terminator, causing a null byte to be written to an out-of-bounds stack address when the RSYNC_PROXY environment variable is set. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.1 CVSS v4 BASE SCORE: 2.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-45232 LAYER: meta PACKAGE NAME: libxi PACKAGE VERSION: 1_1.8.1 CVE: CVE-2013-1984 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in X.org libXi 1.7.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XGetDeviceControl, (2) XGetFeedbackControl, (3) XGetDeviceDontPropagateList, (4) XGetDeviceMotionEvents, (5) XIGetProperty, (6) XIGetSelectedEvents, (7) XGetDeviceProperties, and (8) XListInputDevices functions. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1984 LAYER: meta PACKAGE NAME: libxi PACKAGE VERSION: 1_1.8.1 CVE: CVE-2013-1995 CVE STATUS: Patched CVE SUMMARY: X.org libXi 1.7.1 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to an unexpected sign extension in the XListInputDevices function. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1995 LAYER: meta PACKAGE NAME: libxi PACKAGE VERSION: 1_1.8.1 CVE: CVE-2013-1998 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in X.org libXi 1.7.1 and earlier allow X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the (1) XGetDeviceButtonMapping, (2) XIPassiveGrabDevice, and (3) XQueryDeviceState functions. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1998 LAYER: meta PACKAGE NAME: libxi PACKAGE VERSION: 1_1.8.1 CVE: CVE-2016-7945 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in X.org libXi before 1.7.7 allow remote X servers to cause a denial of service (out-of-bounds memory access or infinite loop) via vectors involving length fields. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7945 LAYER: meta PACKAGE NAME: libxi PACKAGE VERSION: 1_1.8.1 CVE: CVE-2016-7946 CVE STATUS: Patched CVE SUMMARY: X.org libXi before 1.7.7 allows remote X servers to cause a denial of service (infinite loop) via vectors involving length fields. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7946 LAYER: meta PACKAGE NAME: python3-urllib3 PACKAGE VERSION: 2.2.2 CVE: CVE-2016-9015 CVE STATUS: Patched CVE SUMMARY: Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vulnerability that can cause them, in certain configurations, to not correctly validate TLS certificates. This places users of the library with those configurations at risk of man-in-the-middle and information leakage attacks. This vulnerability affects users using versions 1.17 and 1.18 of the urllib3 library, who are using the optional PyOpenSSL support for TLS instead of the regular standard library TLS backend, and who are using OpenSSL 1.1.0 via PyOpenSSL. This is an extremely uncommon configuration, so the security impact of this vulnerability is low. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9015 LAYER: meta PACKAGE NAME: python3-urllib3 PACKAGE VERSION: 2.2.2 CVE: CVE-2018-20060 CVE STATUS: Patched CVE SUMMARY: urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20060 LAYER: meta PACKAGE NAME: python3-urllib3 PACKAGE VERSION: 2.2.2 CVE: CVE-2018-25091 CVE STATUS: Patched CVE SUMMARY: urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25091 LAYER: meta PACKAGE NAME: python3-urllib3 PACKAGE VERSION: 2.2.2 CVE: CVE-2019-11236 CVE STATUS: Patched CVE SUMMARY: In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11236 LAYER: meta PACKAGE NAME: python3-urllib3 PACKAGE VERSION: 2.2.2 CVE: CVE-2019-11324 CVE STATUS: Patched CVE SUMMARY: The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11324 LAYER: meta PACKAGE NAME: python3-urllib3 PACKAGE VERSION: 2.2.2 CVE: CVE-2020-26137 CVE STATUS: Patched CVE SUMMARY: urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-26137 LAYER: meta PACKAGE NAME: python3-urllib3 PACKAGE VERSION: 2.2.2 CVE: CVE-2020-7212 CVE STATUS: Patched CVE SUMMARY: The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2). CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-7212 LAYER: meta PACKAGE NAME: python3-urllib3 PACKAGE VERSION: 2.2.2 CVE: CVE-2021-28363 CVE STATUS: Patched CVE SUMMARY: The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28363 LAYER: meta PACKAGE NAME: python3-urllib3 PACKAGE VERSION: 2.2.2 CVE: CVE-2021-33503 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33503 LAYER: meta PACKAGE NAME: python3-urllib3 PACKAGE VERSION: 2.2.2 CVE: CVE-2023-43804 CVE STATUS: Patched CVE SUMMARY: urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43804 LAYER: meta PACKAGE NAME: python3-urllib3 PACKAGE VERSION: 2.2.2 CVE: CVE-2023-45803 CVE STATUS: Patched CVE SUMMARY: urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.2 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-45803 LAYER: meta PACKAGE NAME: python3-urllib3 PACKAGE VERSION: 2.2.2 CVE: CVE-2024-37891 CVE STATUS: Patched CVE SUMMARY: urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-37891 LAYER: meta PACKAGE NAME: python3-urllib3 PACKAGE VERSION: 2.2.2 CVE: CVE-2025-50181 CVE STATUS: Patched CVE SUMMARY: urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-50181 LAYER: meta PACKAGE NAME: python3-urllib3 PACKAGE VERSION: 2.2.2 CVE: CVE-2025-50182 CVE STATUS: Unpatched CVE SUMMARY: urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-50182 LAYER: meta PACKAGE NAME: python3-urllib3 PACKAGE VERSION: 2.2.2 CVE: CVE-2025-66418 CVE STATUS: Patched CVE SUMMARY: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 8.9 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-66418 LAYER: meta PACKAGE NAME: python3-urllib3 PACKAGE VERSION: 2.2.2 CVE: CVE-2025-66471 CVE STATUS: Patched CVE SUMMARY: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 8.9 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-66471 LAYER: meta PACKAGE NAME: python3-urllib3 PACKAGE VERSION: 2.2.2 CVE: CVE-2026-21441 CVE STATUS: Patched CVE SUMMARY: urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 8.9 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-21441 LAYER: meta PACKAGE NAME: python3-urllib3 PACKAGE VERSION: 2.2.2 CVE: CVE-2026-44431 CVE STATUS: Unpatched CVE SUMMARY: urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 8.2 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-44431 LAYER: meta PACKAGE NAME: python3-urllib3 PACKAGE VERSION: 2.2.2 CVE: CVE-2026-44432 CVE STATUS: Patched CVE SUMMARY: urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 8.9 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-44432 LAYER: meta-oe PACKAGE NAME: s-nail PACKAGE VERSION: 14.9.24 CVE: CVE-2017-5899 CVE STATUS: Patched CVE SUMMARY: Directory traversal vulnerability in the setuid root helper binary in S-nail (later S-mailx) before 14.8.16 allows local users to write to arbitrary files and consequently gain root privileges via a .. (dot dot) in the randstr argument. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5899 LAYER: meta PACKAGE NAME: rxvt-unicode PACKAGE VERSION: 9.31 CVE: CVE-2004-2215 CVE STATUS: Patched CVE SUMMARY: RXVT-Unicode 3.4 and 3.5 does not properly close file descriptors, which allows local users to access the terminals of other users and possibly gain privileges. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2215 LAYER: meta PACKAGE NAME: rxvt-unicode PACKAGE VERSION: 9.31 CVE: CVE-2005-0764 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in command.C for rxvt-unicode before 5.3 allows remote attackers to execute arbitrary code via a crafted file containing long escape sequences. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0764 LAYER: meta PACKAGE NAME: rxvt-unicode PACKAGE VERSION: 9.31 CVE: CVE-2006-0126 CVE STATUS: Patched CVE SUMMARY: rxvt-unicode before 6.3, on certain platforms that use openpty and non-Unix pty devices such as Linux and most BSD platforms, does not maintain the intended permissions of tty devices, which allows local users to gain read and write access to the devices. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0126 LAYER: meta PACKAGE NAME: rxvt-unicode PACKAGE VERSION: 9.31 CVE: CVE-2008-1142 CVE STATUS: Patched CVE SUMMARY: rxvt 2.6.4 opens a terminal window on :0 if the DISPLAY environment variable is not set, which might allow local users to hijack X11 connections. NOTE: it was later reported that rxvt-unicode, mrxvt, aterm, multi-aterm, and wterm are also affected. NOTE: realistic attack scenarios require that the victim enters a command on the wrong machine. CVSS v2 BASE SCORE: 3.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1142 LAYER: meta PACKAGE NAME: rxvt-unicode PACKAGE VERSION: 9.31 CVE: CVE-2014-3121 CVE STATUS: Patched CVE SUMMARY: rxvt-unicode before 9.20 does not properly handle OSC escape sequences, which allows user-assisted remote attackers to manipulate arbitrary X window properties and execute arbitrary commands. CVSS v2 BASE SCORE: 7.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3121 LAYER: meta PACKAGE NAME: rxvt-unicode PACKAGE VERSION: 9.31 CVE: CVE-2021-33477 CVE STATUS: Patched CVE SUMMARY: rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). A response is terminated by a newline. CVSS v2 BASE SCORE: 6.5 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33477 LAYER: meta PACKAGE NAME: rxvt-unicode PACKAGE VERSION: 9.31 CVE: CVE-2022-4170 CVE STATUS: Patched CVE SUMMARY: The rxvt-unicode package is vulnerable to a remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4170 LAYER: meta-oe PACKAGE NAME: zeromq PACKAGE VERSION: 4.3.5 CVE: CVE-2014-7202 CVE STATUS: Patched CVE SUMMARY: stream_engine.cpp in libzmq (aka ZeroMQ/C++)) 4.0.5 before 4.0.5 allows man-in-the-middle attackers to conduct downgrade attacks via a crafted connection request. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7202 LAYER: meta-oe PACKAGE NAME: zeromq PACKAGE VERSION: 4.3.5 CVE: CVE-2014-7203 CVE STATUS: Patched CVE SUMMARY: libzmq (aka ZeroMQ/C++) 4.0.x before 4.0.5 does not ensure that nonces are unique, which allows man-in-the-middle attackers to conduct replay attacks via unspecified vectors. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7203 LAYER: meta-oe PACKAGE NAME: zeromq PACKAGE VERSION: 4.3.5 CVE: CVE-2014-9721 CVE STATUS: Patched CVE SUMMARY: libzmq before 4.0.6 and 4.1.x before 4.1.1 allows remote attackers to conduct downgrade attacks and bypass ZMTP v3 protocol security mechanisms via a ZMTP v2 or earlier header. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9721 LAYER: meta-oe PACKAGE NAME: zeromq PACKAGE VERSION: 4.3.5 CVE: CVE-2021-20236 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the ZeroMQ server in versions before 4.3.3. This flaw allows a malicious client to cause a stack buffer overflow on the server by sending crafted topic subscription requests and then unsubscribing. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20236 LAYER: meta PACKAGE NAME: cronie PACKAGE VERSION: 1.7.2 CVE: CVE-2010-0424 CVE STATUS: Patched CVE SUMMARY: The edit_cmd function in crontab.c in (1) cronie before 1.4.4 and (2) Vixie cron (vixie-cron) allows local users to change the modification times of arbitrary files, and consequently cause a denial of service, via a symlink attack on a temporary file in the /tmp directory. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0424 LAYER: meta PACKAGE NAME: cronie PACKAGE VERSION: 1.7.2 CVE: CVE-2012-6097 CVE STATUS: Patched CVE SUMMARY: File descriptor leak in cronie 1.4.8, when running in certain environments, might allow local users to read restricted files, as demonstrated by reading /etc/crontab. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6097 LAYER: meta-oe PACKAGE NAME: yajl PACKAGE VERSION: 2.1.0 CVE: CVE-2017-16516 CVE STATUS: Patched CVE SUMMARY: In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results in the whole ruby process terminating and potentially a denial of service. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16516 LAYER: meta-oe PACKAGE NAME: yajl PACKAGE VERSION: 2.1.0 CVE: CVE-2022-24795 CVE STATUS: Patched CVE SUMMARY: yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24795 LAYER: meta-oe PACKAGE NAME: yajl PACKAGE VERSION: 2.1.0 CVE: CVE-2023-33460 CVE STATUS: Patched CVE SUMMARY: There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33460 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2014-0047 CVE STATUS: Patched CVE SUMMARY: Docker before 1.5 allows local users to have unspecified impact via vectors involving unsafe /tmp usage. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0047 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2014-0048 CVE STATUS: Patched CVE SUMMARY: An issue was found in Docker before 1.6.0. Some programs and scripts in Docker are downloaded via HTTP and then executed or used in unsafe ways. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0048 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2014-3499 CVE STATUS: Patched CVE SUMMARY: Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3499 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2014-5277 CVE STATUS: Patched CVE SUMMARY: Docker before 1.3.1 and docker-py before 0.5.3 fall back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5277 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2014-5278 CVE STATUS: Patched CVE SUMMARY: A vulnerability exists in Docker before 1.2 via container names, which may collide with and override container IDs. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5278 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2014-5282 CVE STATUS: Patched CVE SUMMARY: Docker before 1.3 does not properly validate image IDs, which allows remote attackers to redirect to another image through the loading of untrusted images via 'docker load'. CVSS v2 BASE SCORE: 5.5 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5282 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2014-6407 CVE STATUS: Patched CVE SUMMARY: Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6407 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2014-6408 CVE STATUS: Patched CVE SUMMARY: Docker 1.3.0 through 1.3.1 allows remote attackers to modify the default run profile of image containers and possibly bypass the container by applying unspecified security options to an image. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6408 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2014-8178 CVE STATUS: Patched CVE SUMMARY: Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 do not use a globally unique identifier to store image layers, which makes it easier for attackers to poison the image cache via a crafted image in pull or push commands. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8178 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2014-8179 CVE STATUS: Patched CVE SUMMARY: Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 does not properly validate and extract the manifest object from its JSON representation during a pull, which allows attackers to inject new attributes in a JSON object and bypass pull-by-digest validation. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8179 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2014-9356 CVE STATUS: Patched CVE SUMMARY: Path traversal vulnerability in Docker before 1.3.3 allows remote attackers to write to arbitrary files and bypass a container protection mechanism via a full pathname in a symlink in an (1) image or (2) build in a Dockerfile. CVSS v2 BASE SCORE: 8.5 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:C/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9356 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2014-9357 CVE STATUS: Patched CVE SUMMARY: Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9357 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2014-9358 CVE STATUS: Patched CVE SUMMARY: Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) "docker load" operation or (2) "registry communications." CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9358 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2015-1843 CVE STATUS: Patched CVE SUMMARY: The Red Hat docker package before 1.5.0-28, when using the --add-registry option, falls back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic. NOTE: this vulnerability exists because of a CVE-2014-5277 regression. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1843 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2015-3627 CVE STATUS: Patched CVE SUMMARY: Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3627 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2015-3630 CVE STATUS: Patched CVE SUMMARY: Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows local users to modify the host, obtain sensitive information, and perform protocol downgrade attacks via a crafted image. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3630 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2015-3631 CVE STATUS: Patched CVE SUMMARY: Docker Engine before 1.6.1 allows local users to set arbitrary Linux Security Modules (LSM) and docker_t policies via an image that allows volumes to override files in /proc. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3631 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2016-3697 CVE STATUS: Patched CVE SUMMARY: libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3697 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2016-6595 CVE STATUS: Patched CVE SUMMARY: The SwarmKit toolkit 1.12.0 for Docker allows remote authenticated users to cause a denial of service (prevention of cluster joins) via a long sequence of join and quit actions. NOTE: the vendor disputes this issue, stating that this sequence is not "removing the state that is left by old nodes. At some point the manager obviously stops being able to accept new nodes, since it runs out of memory. Given that both for Docker swarm and for Docker Swarmkit nodes are *required* to provide a secret token (it's actually the only mode of operation), this means that no adversary can simply join nodes and exhaust manager resources. We can't do anything about a manager running out of memory and not being able to add new legitimate nodes to the system. This is merely a resource provisioning issue, and definitely not a CVE worthy vulnerability. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6595 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2016-8867 CVE STATUS: Patched CVE SUMMARY: Docker Engine 1.12.2 enabled ambient capabilities with misconfigured capability policies. This allowed malicious images to bypass user permissions to access files within the container filesystem or mounted volumes. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8867 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2016-9962 CVE STATUS: Patched CVE SUMMARY: RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 6.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9962 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2017-14992 CVE STATUS: Patched CVE SUMMARY: Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14992 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2017-16539 CVE STATUS: Patched CVE SUMMARY: The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16539 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2018-10892 CVE STATUS: Patched CVE SUMMARY: The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10892 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2018-12608 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12608 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2018-15514 CVE STATUS: Patched CVE SUMMARY: HandleRequestAsync in Docker for Windows before 18.06.0-ce-rc3-win68 (edge) and before 18.06.0-ce-win72 (stable) deserialized requests over the \\.\pipe\dockerBackend named pipe without verifying the validity of the deserialized .NET objects. This would allow a malicious user in the "docker-users" group (who may not otherwise have administrator access) to escalate to administrator privileges. CVSS v2 BASE SCORE: 6.5 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15514 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2018-15664 CVE STATUS: Patched CVE SUMMARY: In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot). CVSS v2 BASE SCORE: 6.2 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15664 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2019-10340 CVE STATUS: Patched CVE SUMMARY: A cross-site request forgery vulnerability in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10340 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2019-10341 CVE STATUS: Patched CVE SUMMARY: A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10341 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2019-10342 CVE STATUS: Patched CVE SUMMARY: A missing permission check in Jenkins Docker Plugin 1.1.6 and earlier in various 'fillCredentialsIdItems' methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10342 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2019-13139 CVE STATUS: Patched CVE SUMMARY: In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the underlying "git clone" command, leading to code execution in the context of the user executing the "docker build" command. This occurs because git ref can be misinterpreted as a flag. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13139 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2019-13509 CVE STATUS: Patched CVE SUMMARY: In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13509 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2019-14271 CVE STATUS: Patched CVE SUMMARY: In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14271 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2019-15752 CVE STATUS: Patched CVE SUMMARY: Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-credential-wincred.exe file in %PROGRAMDATA%\DockerDesktop\version-bin\ as a low-privilege user, and then waiting for an admin or service user to authenticate with Docker, restart Docker, or run 'docker login' to force the command. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15752 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2019-16884 CVE STATUS: Patched CVE SUMMARY: runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16884 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2019-5736 CVE STATUS: Patched CVE SUMMARY: runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5736 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2020-14298 CVE STATUS: Patched CVE SUMMARY: The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the container host and other containers running on the same host. This issue only affects docker version 1.13.1-108.git4ef4b30.el7, shipped in Red Hat Enterprise Linux 7 Extras. Both earlier and later versions are not affected. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14298 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2020-14300 CVE STATUS: Patched CVE SUMMARY: The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in that update was the fix for CVE-2016-9962, that was previously corrected in the docker packages in Red Hat Enterprise Linux 7 Extras via RHSA-2017:0116 (https://access.redhat.com/errata/RHSA-2017:0116). The CVE-2020-14300 was assigned to this security regression and it is specific to the docker packages produced by Red Hat. The original issue - CVE-2016-9962 - could possibly allow a process inside container to compromise a process entering container namespace and execute arbitrary code outside of the container. This could lead to compromise of the container host or other containers running on the same container host. This issue only affects a single version of Docker, 1.13.1-108.git4ef4b30, shipped in Red Hat Enterprise Linux 7. Both earlier and later versions are not affected. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14300 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2020-27534 CVE STATUS: Patched CVE SUMMARY: util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27534 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2021-21284 CVE STATUS: Patched CVE SUMMARY: In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/docker/" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-21284 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2021-21285 CVE STATUS: Patched CVE SUMMARY: In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-21285 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2021-3162 CVE STATUS: Patched CVE SUMMARY: Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3162 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2021-33183 CVE STATUS: Patched CVE SUMMARY: Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability container volume management component in Synology Docker before 18.09.0-0515 allows local users to read or write arbitrary files via unspecified vectors. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 7.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33183 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2021-41089 CVE STATUS: Patched CVE SUMMARY: Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 2.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-41089 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2021-41091 CVE STATUS: Patched CVE SUMMARY: Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-41091 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2022-24769 CVE STATUS: Patched CVE SUMMARY: Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24769 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2022-25365 CVE STATUS: Patched CVE SUMMARY: Docker Desktop before 4.5.1 on Windows allows attackers to move arbitrary files. NOTE: this issue exists because of an incomplete fix for CVE-2022-23774. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25365 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2022-27652 CVE STATUS: Patched CVE SUMMARY: A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27652 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2022-36109 CVE STATUS: Patched CVE SUMMARY: Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-36109 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2023-28840 CVE STATUS: Patched CVE SUMMARY: Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby, is commonly referred to as *Docker*. Swarm Mode, which is compiled in and delivered by default in dockerd and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code. The overlay network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes. Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption. When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the u32 iptables extension provided by the xt_u32 kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN. Two iptables rules serve to filter incoming VXLAN datagrams with a VNI that corresponds to an encrypted network and discards unencrypted datagrams. The rules are appended to the end of the INPUT filter chain, following any rules that have been previously set by the system administrator. Administrator-set rules take precedence over the rules Moby sets to discard unencrypted VXLAN datagrams, which can potentially admit unencrypted datagrams that should have been discarded. The injection of arbitrary Ethernet frames can enable a Denial of Service attack. A sophisticated attacker may be able to establish a UDP or TCP connection by way of the container’s outbound gateway that would otherwise be blocked by a stateful firewall, or carry out other escalations beyond simple injection by smuggling packets into the overlay network. Patches are available in Moby releases 23.0.3 and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16. Some workarounds are available. Close the VXLAN port (by default, UDP port 4789) to incoming traffic at the Internet boundary to prevent all VXLAN packet injection, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28840 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2023-28841 CVE STATUS: Patched CVE SUMMARY: Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*. Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code. The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes. Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption. When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN. An iptables rule designates outgoing VXLAN datagrams with a VNI that corresponds to an encrypted overlay network for IPsec encapsulation. Encrypted overlay networks on affected platforms silently transmit unencrypted data. As a result, `overlay` networks may appear to be functional, passing traffic as expected, but without any of the expected confidentiality or data integrity guarantees. It is possible for an attacker sitting in a trusted position on the network to read all of the application traffic that is moving across the overlay network, resulting in unexpected secrets or user data disclosure. Thus, because many database protocols, internal APIs, etc. are not protected by a second layer of encryption, a user may use Swarm encrypted overlay networks to provide confidentiality, which due to this vulnerability this is no longer guaranteed. Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16. Some workarounds are available. Close the VXLAN port (by default, UDP port 4789) to outgoing traffic at the Internet boundary in order to prevent unintentionally leaking unencrypted traffic over the Internet, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28841 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2023-28842 CVE STATUS: Patched CVE SUMMARY: Moby) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*. Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code. The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes. Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption. When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN. The `overlay` driver dynamically and lazily defines the kernel configuration for the VXLAN network on each node as containers are attached and detached. Routes and encryption parameters are only defined for destination nodes that participate in the network. The iptables rules that prevent encrypted overlay networks from accepting unencrypted packets are not created until a peer is available with which to communicate. Encrypted overlay networks silently accept cleartext VXLAN datagrams that are tagged with the VNI of an encrypted overlay network. As a result, it is possible to inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams. The implications of this can be quite dire, and GHSA-vwm3-crmr-xfxw should be referenced for a deeper exploration. Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16. Some workarounds are available. In multi-node clusters, deploy a global ‘pause’ container for each encrypted overlay network, on every node. For a single-node cluster, do not use overlay networks of any sort. Bridge networks provide the same connectivity on a single node and have no multi-node features. The Swarm ingress feature is implemented using an overlay network, but can be disabled by publishing ports in `host` mode instead of `ingress` mode (allowing the use of an external load balancer), and removing the `ingress` network. If encrypted overlay networks are in exclusive use, block UDP port 4789 from traffic that has not been validated by IPSec. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28842 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2024-24557 CVE STATUS: Patched CVE SUMMARY: Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-24557 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2024-29018 CVE STATUS: Patched CVE SUMMARY: Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well. When containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs. Containers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly. In addition to configuring the Linux kernel's various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver. When a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container's network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself. As a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved. Many systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host's configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected. Because `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers. Docker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address. Moby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container's network namespace. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-29018 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2024-32473 CVE STATUS: Patched CVE SUMMARY: Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. In 26.0.0, IPv6 is not disabled on network interfaces, including those belonging to networks where `--ipv6=false`. An container with an `ipvlan` or `macvlan` interface will normally be configured to share an external network link with the host machine. Because of this direct access, (1) Containers may be able to communicate with other hosts on the local network over link-local IPv6 addresses, (2) if router advertisements are being broadcast over the local network, containers may get SLAAC-assigned addresses, and (3) the interface will be a member of IPv6 multicast groups. This means interfaces in IPv4-only networks present an unexpectedly and unnecessarily increased attack surface. The issue is patched in 26.0.2. To completely disable IPv6 in a container, use `--sysctl=net.ipv6.conf.all.disable_ipv6=1` in the `docker create` or `docker run` command. Or, in the service configuration of a `compose` file. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32473 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2024-36620 CVE STATUS: Unpatched CVE SUMMARY: moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36620 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2024-36621 CVE STATUS: Patched CVE SUMMARY: moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that call the EnsureLayer function resulting in resource leaks/exhaustion. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36621 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2024-36623 CVE STATUS: Patched CVE SUMMARY: moby through v25.0.3 has a Race Condition vulnerability in the streamformatter package which can be used to trigger multiple concurrent write operations resulting in data corruption or application crashes. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36623 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2025-54388 CVE STATUS: Patched CVE SUMMARY: Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. In versions 28.2.0 through 28.3.2, when the firewalld service is reloaded it removes all iptables rules including those created by Docker. While Docker should automatically recreate these rules, versions before 28.3.3 fail to recreate the specific rules that block external access to containers. This means that after a firewalld reload, containers with ports published to localhost (like 127.0.0.1:8080) become accessible from remote machines that have network routing to the Docker bridge, even though they should only be accessible from the host itself. The vulnerability only affects explicitly published ports - unpublished ports remain protected. This issue is fixed in version 28.3.3. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.6 CVSS v4 BASE SCORE: 5.1 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-54388 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2025-54410 CVE STATUS: Unpatched CVE SUMMARY: Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fails to re-create iptables rules that isolate bridge networks, allowing any container to access all ports on any other container across different bridge networks on the same host. This breaks network segmentation between containers that should be isolated, creating significant risk in multi-tenant environments. Only containers in --internal networks remain protected. Workarounds include reloading firewalld and either restarting the docker daemon, re-creating bridge networks, or using rootless mode. Maintainers anticipate a fix for this issue in version 25.0.13. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-54410 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2026-33997 CVE STATUS: Unpatched CVE SUMMARY: Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins that request exactly one privilege are also affected, because no comparison is performed at all. This issue has been patched in version 29.3.1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-33997 LAYER: meta-virtualization PACKAGE NAME: docker-moby PACKAGE VERSION: 25.0.9+gita926bec8fc91332410133b24f3e9e3f5add13b48 CVE: CVE-2026-34040 CVE STATUS: Unpatched CVE SUMMARY: Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-34040 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2006-2288 CVE STATUS: Patched CVE SUMMARY: Avahi before 0.6.10 allows local users to cause a denial of service (mDNS/DNS-SD service disconnect) via unspecified mDNS name conflicts. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2288 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2006-2289 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in avahi-core in Avahi before 0.6.10 allows local users to execute arbitrary code via unknown vectors. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2289 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2006-5461 CVE STATUS: Patched CVE SUMMARY: Avahi before 0.6.15 does not verify the sender identity of netlink messages to ensure that they come from the kernel instead of another process, which allows local users to spoof network changes to Avahi. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5461 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2006-6870 CVE STATUS: Patched CVE SUMMARY: The consume_labels function in avahi-core/dns.c in Avahi before 0.6.16 allows remote attackers to cause a denial of service (infinite loop) via a crafted compressed DNS response with a label that points to itself. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6870 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2007-3372 CVE STATUS: Patched CVE SUMMARY: The Avahi daemon in Avahi before 0.6.20 allows attackers to cause a denial of service (exit) via empty TXT data over D-Bus, which triggers an assert error. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3372 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2008-5081 CVE STATUS: Patched CVE SUMMARY: The originates_from_local_legacy_unicast_socket function (avahi-core/server.c) in avahi-daemon in Avahi before 0.6.24 allows remote attackers to cause a denial of service (crash) via a crafted mDNS packet with a source port of 0, which triggers an assertion failure. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5081 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2010-2244 CVE STATUS: Patched CVE SUMMARY: The AvahiDnsPacket function in avahi-core/socket.c in avahi-daemon in Avahi 0.6.16 and 0.6.25 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNS packet with an invalid checksum followed by a DNS packet with a valid checksum, a different vulnerability than CVE-2008-5081. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2244 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2011-1002 CVE STATUS: Patched CVE SUMMARY: avahi-core/socket.c in avahi-daemon in Avahi before 0.6.29 allows remote attackers to cause a denial of service (infinite loop) via an empty mDNS (1) IPv4 or (2) IPv6 UDP packet to port 5353. NOTE: this vulnerability exists because of an incorrect fix for CVE-2010-2244. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1002 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2017-6519 CVE STATUS: Patched CVE SUMMARY: avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) and may cause information leakage by obtaining potentially sensitive information from the responding device via port-5353 UDP packets. NOTE: this may overlap CVE-2015-2809. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6519 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2021-26720 CVE STATUS: Ignored CVE DETAIL: not-applicable-platform CVE DESCRIPTION: Issue only affects Debian/SUSE CVE SUMMARY: avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon. NOTE: this only affects the packaging for Debian GNU/Linux (used indirectly by SUSE), not the upstream Avahi product. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-26720 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2021-3468 CVE STATUS: Patched CVE SUMMARY: A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3468 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2021-3502 CVE STATUS: Patched CVE SUMMARY: A flaw was found in avahi 0.8-5. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions through the avahi socket or dbus methods for invalid hostnames. The highest threat from this vulnerability is to the service availability. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3502 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2023-1981 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in the avahi library. This flaw allows an unprivileged user to make a dbus call, causing the avahi daemon to crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1981 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2023-38469 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38469 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2023-38470 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38470 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2023-38471 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38471 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2023-38472 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in Avahi. A reachable assertion exists in the avahi_rdata_parse() function. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38472 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2023-38473 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38473 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2024-52615 CVE STATUS: Patched CVE SUMMARY: A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-52615 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2024-52616 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-52616 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2025-59529 CVE STATUS: Unpatched CVE SUMMARY: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-59529 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2025-68276 CVE STATUS: Unpatched CVE SUMMARY: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-68276 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2025-68468 CVE STATUS: Unpatched CVE SUMMARY: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-68468 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2025-68471 CVE STATUS: Unpatched CVE SUMMARY: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-68471 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2026-24401 CVE STATUS: Unpatched CVE SUMMARY: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-24401 LAYER: meta PACKAGE NAME: avahi PACKAGE VERSION: 0.8 CVE: CVE-2026-34933 CVE STATUS: Unpatched CVE SUMMARY: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-34933 LAYER: meta PACKAGE NAME: texinfo PACKAGE VERSION: 7.0.3 CVE: CVE-2005-3011 CVE STATUS: Patched CVE SUMMARY: The sort_offline function for texindex in texinfo 4.8 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files. CVSS v2 BASE SCORE: 1.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3011 LAYER: meta PACKAGE NAME: texinfo PACKAGE VERSION: 7.0.3 CVE: CVE-2006-4810 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the readline function in util/texindex.c, as used by the (1) texi2dvi and (2) texindex commands, in texinfo 4.8 and earlier allows local users to execute arbitrary code via a crafted Texinfo file. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4810 LAYER: meta PACKAGE NAME: ed PACKAGE VERSION: 1.20.2 CVE: CVE-2000-1137 CVE STATUS: Patched CVE SUMMARY: GNU ed before 0.2-18.1 allows local users to overwrite the files of other users via a symlink attack. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-1137 LAYER: meta PACKAGE NAME: ed PACKAGE VERSION: 1.20.2 CVE: CVE-2006-6939 CVE STATUS: Patched CVE SUMMARY: GNU ed before 0.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files, possibly in the open_sbuf function. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6939 LAYER: meta PACKAGE NAME: ed PACKAGE VERSION: 1.20.2 CVE: CVE-2008-3916 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the strip_escapes function in signal.c in GNU ed before 1.0 allows context-dependent or user-assisted attackers to execute arbitrary code via a long filename. NOTE: since ed itself does not typically run with special privileges, this issue only crosses privilege boundaries when ed is invoked as a third-party component. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3916 LAYER: meta PACKAGE NAME: ed PACKAGE VERSION: 1.20.2 CVE: CVE-2017-5357 CVE STATUS: Patched CVE SUMMARY: regex.c in GNU ed before 1.14.1 allows attackers to cause a denial of service (crash) via a malformed command, which triggers an invalid free. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5357 LAYER: meta PACKAGE NAME: sysklogd PACKAGE VERSION: 2.5.2 CVE: CVE-2014-3634 CVE STATUS: Patched CVE SUMMARY: rsyslog before 7.6.6 and 8.x before 8.4.1 and sysklogd 1.5 and earlier allows remote attackers to cause a denial of service (crash), possibly execute arbitrary code, or have other unspecified impact via a crafted priority (PRI) value that triggers an out-of-bounds array access. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3634 LAYER: meta PACKAGE NAME: sysklogd PACKAGE VERSION: 2.5.2 CVE: CVE-2014-3683 CVE STATUS: Patched CVE SUMMARY: Integer overflow in rsyslog before 7.6.7 and 8.x before 8.4.2 and sysklogd 1.5 and earlier allows remote attackers to cause a denial of service (crash) via a large priority (PRI) value. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3634. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3683 LAYER: meta PACKAGE NAME: time PACKAGE VERSION: 1.9 CVE: CVE-2020-26235 CVE STATUS: Patched CVE SUMMARY: In Rust time crate from version 0.2.7 and before version 0.2.23, unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to set any environment variable in a different thread than the affected functions. The affected functions are time::UtcOffset::local_offset_at, time::UtcOffset::try_local_offset_at, time::UtcOffset::current_local_offset, time::UtcOffset::try_current_local_offset, time::OffsetDateTime::now_local and time::OffsetDateTime::try_now_local. Non-Unix targets are unaffected. This includes Windows and wasm. The issue was introduced in version 0.2.7 and fixed in version 0.2.23. CVSS v2 BASE SCORE: 3.5 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-26235 LAYER: meta PACKAGE NAME: time PACKAGE VERSION: 1.9 CVE: CVE-2023-28756 CVE STATUS: Patched CVE SUMMARY: A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28756 LAYER: meta PACKAGE NAME: time PACKAGE VERSION: 1.9 CVE: CVE-2026-25727 CVE STATUS: Patched CVE SUMMARY: time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 6.8 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-25727 LAYER: meta PACKAGE NAME: lz4 PACKAGE VERSION: 1_1.9.4 CVE: CVE-2014-4715 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: Fixed in r118, which is larger than the current version. CVE SUMMARY: Yann Collet LZ4 before r119, when used on certain 32-bit platforms that allocate memory beyond 0x80000000, does not properly detect integer overflows, which allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted Literal Run, a different vulnerability than CVE-2014-4611. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4715 LAYER: meta PACKAGE NAME: lz4 PACKAGE VERSION: 1_1.9.4 CVE: CVE-2019-17543 CVE STATUS: Patched CVE SUMMARY: LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk." CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17543 LAYER: meta PACKAGE NAME: lz4 PACKAGE VERSION: 1_1.9.4 CVE: CVE-2021-3520 CVE STATUS: Patched CVE SUMMARY: There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3520 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2015-3210 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in PCRE 8.34 through 8.37 and PCRE2 10.10 allows remote attackers to execute arbitrary code via a crafted regular expression, as demonstrated by /^(?P=B)((?P=B)(?J:(?Pc)(?Pa(?P=B)))>WGXCREDITS)/, a different vulnerability than CVE-2015-8384. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3210 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2015-3217 CVE STATUS: Patched CVE SUMMARY: PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\.|([^\\\\W_])?)+)+$/. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3217 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2016-3191 CVE STATUS: Patched CVE SUMMARY: The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3191 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2017-7186 CVE STATUS: Patched CVE SUMMARY: libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7186 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2017-8399 CVE STATUS: Patched CVE SUMMARY: PCRE2 before 10.30 has an out-of-bounds write caused by a stack-based buffer overflow in pcre2_match.c, related to a "pattern with very many captures." CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8399 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2017-8786 CVE STATUS: Patched CVE SUMMARY: pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8786 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2019-20454 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20454 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2022-1586 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1586 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2022-1587 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1587 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2022-41409 CVE STATUS: Patched CVE SUMMARY: Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41409 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2025-58050 CVE STATUS: Patched CVE SUMMARY: The PCRE2 library is a set of C functions that implement regular expression pattern matching. In version 10.45, a heap-buffer-overflow read vulnerability exists in the PCRE2 regular expression matching engine, specifically within the handling of the (*scs:...) (Scan SubString) verb when combined with (*ACCEPT) in src/pcre2_match.c. This vulnerability may potentially lead to information disclosure if the out-of-bounds data read during the memcmp affects the final match result in a way observable by the attacker. This issue has been resolved in version 10.46. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 6.9 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-58050 LAYER: meta PACKAGE NAME: kexec-tools PACKAGE VERSION: 2.0.28 CVE: CVE-2011-3588 CVE STATUS: Patched CVE SUMMARY: The SSH configuration in the Red Hat mkdumprd script for kexec-tools, as distributed in the kexec-tools 1.x before 1.102pre-154 and 2.x before 2.0.0-209 packages in Red Hat Enterprise Linux, disables the StrictHostKeyChecking option, which allows man-in-the-middle attackers to spoof kdump servers, and obtain sensitive core information, by using an arbitrary SSH key. CVSS v2 BASE SCORE: 5.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:C/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3588 LAYER: meta PACKAGE NAME: kexec-tools PACKAGE VERSION: 2.0.28 CVE: CVE-2011-3589 CVE STATUS: Patched CVE SUMMARY: The Red Hat mkdumprd script for kexec-tools, as distributed in the kexec-tools 1.x before 1.102pre-154 and 2.x before 2.0.0-209 packages in Red Hat Enterprise Linux, uses world-readable permissions for vmcore files, which allows local users to obtain sensitive information by inspecting the file content, as demonstrated by a search for a root SSH key. CVSS v2 BASE SCORE: 5.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:C/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3589 LAYER: meta PACKAGE NAME: kexec-tools PACKAGE VERSION: 2.0.28 CVE: CVE-2011-3590 CVE STATUS: Patched CVE SUMMARY: The Red Hat mkdumprd script for kexec-tools, as distributed in the kexec-tools 1.x before 1.102pre-154 and 2.x before 2.0.0-209 packages in Red Hat Enterprise Linux, includes all of root's SSH private keys within a vmcore file, which allows context-dependent attackers to obtain sensitive information by inspecting the file content. CVSS v2 BASE SCORE: 5.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:C/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3590 LAYER: meta PACKAGE NAME: kexec-tools PACKAGE VERSION: 2.0.28 CVE: CVE-2015-0267 CVE STATUS: Patched CVE SUMMARY: The Red Hat module-setup.sh script for kexec-tools, as distributed in the kexec-tools before 2.0.7-19 packages in Red Hat Enterprise Linux, allows local users to write to arbitrary files via a symlink attack on a temporary file. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0267 LAYER: meta PACKAGE NAME: kexec-tools PACKAGE VERSION: 2.0.28 CVE: CVE-2021-20269 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the permissions of a log file created by kexec-tools. This flaw allows a local unprivileged user to read this file and leak kernel internal information from a previous panic. The highest threat from this vulnerability is to confidentiality. This flaw affects kexec-tools shipped by Fedora versions prior to 2.0.21-8 and RHEL versions prior to 2.0.20-47. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20269 LAYER: meta PACKAGE NAME: x11perf PACKAGE VERSION: 1_1.6.1 CVE: CVE-2011-2504 CVE STATUS: Patched CVE SUMMARY: Untrusted search path vulnerability in x11perfcomp in XFree86 x11perf before 1.5.4 allows local users to gain privileges via unspecified Trojan horse code in the current working directory. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2504 LAYER: meta PACKAGE NAME: libxv PACKAGE VERSION: 1.0.12 CVE: CVE-2013-1989 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in X.org libXv 1.0.7 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XvQueryPortAttributes, (2) XvListImageFormats, and (3) XvCreateImage function. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1989 LAYER: meta PACKAGE NAME: libxv PACKAGE VERSION: 1.0.12 CVE: CVE-2013-2066 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in X.org libXv 1.0.7 and earlier allows X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the XvQueryPortAttributes function. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2066 LAYER: meta PACKAGE NAME: libxv PACKAGE VERSION: 1.0.12 CVE: CVE-2016-5407 CVE STATUS: Patched CVE SUMMARY: The (1) XvQueryAdaptors and (2) XvQueryEncodings functions in X.org libXv before 1.0.11 allow remote X servers to trigger out-of-bounds memory access operations via vectors involving length specifications in received data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5407 LAYER: meta PACKAGE NAME: libx11 PACKAGE VERSION: 1_1.8.9 CVE: CVE-2006-5397 CVE STATUS: Patched CVE SUMMARY: The Xinput module (modules/im/ximcp/imLcIm.c) in X.Org libX11 1.0.2 and 1.0.3 opens a file for reading twice using the same file descriptor, which causes a file descriptor leak that allows local users to read files specified by the XCOMPOSEFILE environment variable via the duplicate file descriptor. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5397 LAYER: meta PACKAGE NAME: libx11 PACKAGE VERSION: 1_1.8.9 CVE: CVE-2007-1667 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in X.Org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1667 LAYER: meta PACKAGE NAME: libx11 PACKAGE VERSION: 1_1.8.9 CVE: CVE-2013-1981 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in X.org libX11 1.5.99.901 (1.6 RC1) and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XQueryFont, (2) _XF86BigfontQueryFont, (3) XListFontsWithInfo, (4) XGetMotionEvents, (5) XListHosts, (6) XGetModifierMapping, (7) XGetPointerMapping, (8) XGetKeyboardMapping, (9) XGetWindowProperty, (10) XGetImage, (11) LoadColornameDB, (12) XrmGetFileDatabase, (13) _XimParseStringFile, or (14) TransFileName functions. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1981 LAYER: meta PACKAGE NAME: libx11 PACKAGE VERSION: 1_1.8.9 CVE: CVE-2013-1997 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in X.org libX11 1.5.99.901 (1.6 RC1) and earlier allow X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the (1) XAllocColorCells, (2) _XkbReadGetDeviceInfoReply, (3) _XkbReadGeomShapes, (4) _XkbReadGetGeometryReply, (5) _XkbReadKeySyms, (6) _XkbReadKeyActions, (7) _XkbReadKeyBehaviors, (8) _XkbReadModifierMap, (9) _XkbReadExplicitComponents, (10) _XkbReadVirtualModMap, (11) _XkbReadGetNamesReply, (12) _XkbReadGetMapReply, (13) _XimXGetReadData, (14) XListFonts, (15) XListExtensions, and (16) XGetFontPath functions. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1997 LAYER: meta PACKAGE NAME: libx11 PACKAGE VERSION: 1_1.8.9 CVE: CVE-2013-2004 CVE STATUS: Patched CVE SUMMARY: The (1) GetDatabase and (2) _XimParseStringFile functions in X.org libX11 1.5.99.901 (1.6 RC1) and earlier do not restrict the recursion depth when processing directives to include files, which allows X servers to cause a denial of service (stack consumption) via a crafted file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2004 LAYER: meta PACKAGE NAME: libx11 PACKAGE VERSION: 1_1.8.9 CVE: CVE-2013-7439 CVE STATUS: Patched CVE SUMMARY: Multiple off-by-one errors in the (1) MakeBigReq and (2) SetReqLen macros in include/X11/Xlibint.h in X11R6.x and libX11 before 1.6.0 allow remote attackers to have unspecified impact via a crafted request, which triggers a buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7439 LAYER: meta PACKAGE NAME: libx11 PACKAGE VERSION: 1_1.8.9 CVE: CVE-2016-7942 CVE STATUS: Patched CVE SUMMARY: The XGetImage function in X.org libX11 before 1.6.4 might allow remote X servers to gain privileges via vectors involving image type and geometry, which triggers out-of-bounds read operations. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7942 LAYER: meta PACKAGE NAME: libx11 PACKAGE VERSION: 1_1.8.9 CVE: CVE-2016-7943 CVE STATUS: Patched CVE SUMMARY: The XListFonts function in X.org libX11 before 1.6.4 might allow remote X servers to gain privileges via vectors involving length fields, which trigger out-of-bounds write operations. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7943 LAYER: meta PACKAGE NAME: libx11 PACKAGE VERSION: 1_1.8.9 CVE: CVE-2018-14598 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in XListExtensions in ListExt.c in libX11 through 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14598 LAYER: meta PACKAGE NAME: libx11 PACKAGE VERSION: 1_1.8.9 CVE: CVE-2018-14599 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14599 LAYER: meta PACKAGE NAME: libx11 PACKAGE VERSION: 1_1.8.9 CVE: CVE-2018-14600 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14600 LAYER: meta PACKAGE NAME: libx11 PACKAGE VERSION: 1_1.8.9 CVE: CVE-2020-14344 CVE STATUS: Patched CVE SUMMARY: An integer overflow leading to a heap-buffer overflow was found in The X Input Method (XIM) client was implemented in libX11 before version 1.6.10. As per upstream this is security relevant when setuid programs call XIM client functions while running with elevated privileges. No such programs are shipped with Red Hat Enterprise Linux. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14344 LAYER: meta PACKAGE NAME: libx11 PACKAGE VERSION: 1_1.8.9 CVE: CVE-2020-14363 CVE STATUS: Patched CVE SUMMARY: An integer overflow vulnerability leading to a double-free was found in libX11. This flaw allows a local privileged attacker to cause an application compiled with libX11 to crash, or in some cases, result in arbitrary code execution. The highest threat from this flaw is to confidentiality, integrity as well as system availability. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14363 LAYER: meta PACKAGE NAME: libx11 PACKAGE VERSION: 1_1.8.9 CVE: CVE-2021-31535 CVE STATUS: Patched CVE SUMMARY: LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-31535 LAYER: meta PACKAGE NAME: libx11 PACKAGE VERSION: 1_1.8.9 CVE: CVE-2023-3138 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3138 LAYER: meta PACKAGE NAME: libx11 PACKAGE VERSION: 1_1.8.9 CVE: CVE-2023-43785 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in libX11 due to a boundary condition within the _XkbReadKeySyms() function. This flaw allows a local user to trigger an out-of-bounds read error and read the contents of memory on the system. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43785 LAYER: meta PACKAGE NAME: libx11 PACKAGE VERSION: 1_1.8.9 CVE: CVE-2023-43786 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43786 LAYER: meta PACKAGE NAME: libx11 PACKAGE VERSION: 1_1.8.9 CVE: CVE-2023-43787 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43787 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2008-0595 CVE STATUS: Patched CVE SUMMARY: dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interface. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0595 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2008-3834 CVE STATUS: Patched CVE SUMMARY: The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3834 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2008-4311 CVE STATUS: Patched CVE SUMMARY: The default configuration of system.conf in D-Bus (aka DBus) before 1.2.6 omits the send_type attribute in certain rules, which allows local users to bypass intended access restrictions by (1) sending messages, related to send_requested_reply; and possibly (2) receiving messages, related to receive_requested_reply. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4311 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2009-1189 CVE STATUS: Patched CVE SUMMARY: The _dbus_validate_signature_with_reason function (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses incorrect logic to validate a basic type, which allows remote attackers to spoof a signature via a crafted key. NOTE: this is due to an incorrect fix for CVE-2008-3834. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1189 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2010-4352 CVE STATUS: Patched CVE SUMMARY: Stack consumption vulnerability in D-Bus (aka DBus) before 1.4.1 allows local users to cause a denial of service (daemon crash) via a message containing many nested variants. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4352 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2011-2200 CVE STATUS: Patched CVE SUMMARY: The _dbus_header_byteswap function in dbus-marshal-header.c in D-Bus (aka DBus) 1.2.x before 1.2.28, 1.4.x before 1.4.12, and 1.5.x before 1.5.4 does not properly handle a non-native byte order, which allows local users to cause a denial of service (connection loss), obtain potentially sensitive information, or conduct unspecified state-modification attacks via crafted messages. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2200 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2011-2533 CVE STATUS: Patched CVE SUMMARY: The configure script in D-Bus (aka DBus) 1.2.x before 1.2.28 allows local users to overwrite arbitrary files via a symlink attack on an unspecified file in /tmp/. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2533 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2012-3524 CVE STATUS: Patched CVE SUMMARY: libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables, not in libdbus itself: "we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus." CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3524 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2013-2168 CVE STATUS: Patched CVE SUMMARY: The _dbus_printf_string_upper_bound function in dbus/dbus-sysdeps-unix.c in D-Bus (aka DBus) 1.4.x before 1.4.26, 1.6.x before 1.6.12, and 1.7.x before 1.7.4 allows local users to cause a denial of service (service crash) via a crafted message. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2168 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2014-3477 CVE STATUS: Patched CVE SUMMARY: The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3477 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2014-3532 CVE STATUS: Patched CVE SUMMARY: dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recursion depth before the initial message is forwarded. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3532 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2014-3533 CVE STATUS: Patched CVE SUMMARY: dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3533 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2014-3635 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3635 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2014-3636 CVE STATUS: Patched CVE SUMMARY: D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to have more than the allowed number of file descriptors for a single sendmsg call. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3636 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2014-3637 CVE STATUS: Patched CVE SUMMARY: D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3637 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2014-3638 CVE STATUS: Patched CVE SUMMARY: The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3638 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2014-3639 CVE STATUS: Patched CVE SUMMARY: The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3639 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2014-7824 CVE STATUS: Patched CVE SUMMARY: D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2 allows local users to cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3636.1. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7824 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2015-0245 CVE STATUS: Patched CVE SUMMARY: D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0245 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2019-12749 CVE STATUS: Patched CVE SUMMARY: dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12749 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2020-12049 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12049 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2020-35512 CVE STATUS: Patched CVE SUMMARY: A use-after-free flaw was found in D-Bus Development branch <= 1.13.16, dbus-1.12.x stable branch <= 1.12.18, and dbus-1.10.x and older branches <= 1.10.30 when a system has multiple usernames sharing the same UID. When a set of policy rules references these usernames, D-Bus may free some memory in the heap, which is still used by data structures necessary for the other usernames sharing the UID, possibly leading to a crash or other undefined behaviors CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35512 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2022-42010 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42010 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2022-42011 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42011 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2022-42012 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42012 LAYER: meta PACKAGE NAME: dbus PACKAGE VERSION: 1.14.10 CVE: CVE-2023-34969 CVE STATUS: Patched CVE SUMMARY: D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34969 LAYER: meta PACKAGE NAME: libxinerama PACKAGE VERSION: 1_1.1.5 CVE: CVE-2013-1985 CVE STATUS: Patched CVE SUMMARY: Integer overflow in X.org libXinerama 1.1.2 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the XineramaQueryScreens function. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1985 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2006-3627 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the GSM BSSMAP dissector in Wireshark (aka Ethereal) 0.10.11 to 0.99.0 allows remote attackers to cause a denial of service (crash) via unspecified vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3627 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2006-3628 CVE STATUS: Patched CVE SUMMARY: Multiple format string vulnerabilities in Wireshark (aka Ethereal) 0.10.x to 0.99.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) ANSI MAP, (2) Checkpoint FW-1, (3) MQ, (4) XML, and (5) NTP dissectors. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3628 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2006-3630 CVE STATUS: Patched CVE SUMMARY: Multiple off-by-one errors in Wireshark (aka Ethereal) 0.9.7 to 0.99.0 have unknown impact and remote attack vectors via the (1) NCP NMAS and (2) NDPS dissectors. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3630 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2006-3631 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the SSH dissector in Wireshark (aka Ethereal) 0.9.10 to 0.99.0 allows remote attackers to cause a denial of service (infinite loop) via unknown attack vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3631 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2006-4330 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the SCSI dissector in Wireshark (formerly Ethereal) 0.99.2 allows remote attackers to cause a denial of service (crash) via unspecified vectors. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4330 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2006-4331 CVE STATUS: Patched CVE SUMMARY: Multiple off-by-one errors in the IPSec ESP preference parser in Wireshark (formerly Ethereal) 0.99.2 allow remote attackers to cause a denial of service (crash) via unspecified vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4331 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2006-4332 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the DHCP dissector in Wireshark (formerly Ethereal) 0.10.13 through 0.99.2, when run on Windows, allows remote attackers to cause a denial of service (crash) via unspecified vectors that trigger a bug in Glib. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4332 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2006-4333 CVE STATUS: Patched CVE SUMMARY: The SSCOP dissector in Wireshark (formerly Ethereal) before 0.99.3 allows remote attackers to cause a denial of service (resource consumption) via malformed packets that cause the Q.2391 dissector to use excessive memory. CVSS v2 BASE SCORE: 5.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4333 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2006-4574 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the MIME Multipart dissector in Wireshark (formerly Ethereal) 0.10.1 through 0.99.3 allows remote attackers to cause a denial of service (crash) via certain vectors that trigger an assertion error related to unexpected length values. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4574 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2006-4805 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-xot.c in the XOT dissector (dissect_xot_pdu) in Wireshark (formerly Ethereal) 0.9.8 through 0.99.3 allows remote attackers to cause a denial of service (memory consumption and crash) via an encoded XOT packet that produces a zero length value when it is decoded. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4805 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2006-5468 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the HTTP dissector in Wireshark (formerly Ethereal) 0.99.3 allows remote attackers to cause a denial of service (crash) via unspecified vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5468 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2006-5469 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the WBXML dissector in Wireshark (formerly Ethereal) 0.10.11 through 0.99.3 allows remote attackers to cause a denial of service (crash) via certain vectors that trigger a null dereference. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5469 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2006-5595 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the AirPcap support in Wireshark (formerly Ethereal) 0.99.3 has unspecified attack vectors related to WEP key parsing. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5595 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2006-5740 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the LDAP dissector in Wireshark (formerly Ethereal) 0.99.3 allows remote attackers to cause a denial of service (crash) via a crafted LDAP packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5740 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-0456 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the LLT dissector in Wireshark (formerly Ethereal) 0.99.3 and 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0456 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-0457 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the IEEE 802.11 dissector in Wireshark (formerly Ethereal) 0.10.14 through 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0457 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-0458 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the HTTP dissector in Wireshark (formerly Ethereal) 0.99.3 and 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors, a different issue than CVE-2006-5468. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0458 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-0459 CVE STATUS: Patched CVE SUMMARY: packet-tcp.c in the TCP dissector in Wireshark (formerly Ethereal) 0.99.2 through 0.99.4 allows remote attackers to cause a denial of service (application crash or hang) via fragmented HTTP packets. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0459 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-3389 CVE STATUS: Patched CVE SUMMARY: Wireshark before 0.99.6 allows remote attackers to cause a denial of service (crash) via a crafted chunked encoding in an HTTP response, possibly related to a zero-length payload. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3389 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-3390 CVE STATUS: Patched CVE SUMMARY: Wireshark 0.99.5 and 0.10.x up to 0.10.14, when running on certain systems, allows remote attackers to cause a denial of service (crash) via crafted iSeries capture files that trigger a SIGTRAP. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3390 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-3391 CVE STATUS: Patched CVE SUMMARY: Wireshark 0.99.5 allows remote attackers to cause a denial of service (memory consumption) via a malformed DCP ETSI packet that triggers an infinite loop. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3391 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-3392 CVE STATUS: Patched CVE SUMMARY: Wireshark before 0.99.6 allows remote attackers to cause a denial of service via malformed (1) SSL or (2) MMS packets that trigger an infinite loop. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3392 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-3393 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the DHCP/BOOTP dissector in Wireshark before 0.99.6 allows remote attackers to cause a denial of service (crash) via crafted DHCP-over-DOCSIS packets. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3393 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-6111 CVE STATUS: Patched CVE SUMMARY: Multiple unspecified vulnerabilities in Wireshark (formerly Ethereal) allow remote attackers to cause a denial of service (crash) via (1) a crafted MP3 file or (2) unspecified vectors to the NCP dissector. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6111 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-6112 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the PPP dissector Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6112 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-6113 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in the DNP3 dissector in Wireshark (formerly Ethereal) 0.10.12 to 0.99.6 allows remote attackers to cause a denial of service (long loop) via a malformed DNP3 packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6113 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-6114 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in Wireshark (formerly Ethereal) 0.99.0 through 0.99.6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) the SSL dissector or (2) the iSeries (OS/400) Communication trace file parser. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6114 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-6115 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the ANSI MAP dissector for Wireshark (formerly Ethereal) 0.99.5 to 0.99.6, when running on unspecified platforms, allows remote attackers to cause a denial of service and possibly execute arbitrary code via unknown vectors. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6115 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-6116 CVE STATUS: Patched CVE SUMMARY: The Firebird/Interbase dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (infinite loop or crash) via unknown vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6116 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-6117 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the HTTP dissector for Wireshark (formerly Ethereal) 0.10.14 to 0.99.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted chunked messages. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6117 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-6118 CVE STATUS: Patched CVE SUMMARY: The MEGACO dissector in Wireshark (formerly Ethereal) 0.9.14 to 0.99.6 allows remote attackers to cause a denial of service (long loop and resource consumption) via unknown vectors. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6118 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-6119 CVE STATUS: Patched CVE SUMMARY: The DCP ETSI dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (long loop and resource consumption) via unknown vectors. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6119 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-6120 CVE STATUS: Patched CVE SUMMARY: The Bluetooth SDP dissector Wireshark (formerly Ethereal) 0.99.2 to 0.99.6 allows remote attackers to cause a denial of service (infinite loop) via unknown vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6120 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-6121 CVE STATUS: Patched CVE SUMMARY: Wireshark (formerly Ethereal) 0.8.16 to 0.99.6 allows remote attackers to cause a denial of service (crash) via a malformed RPC Portmap packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6121 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-6438 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the SMB dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service via unknown vectors. NOTE: this identifier originally included MP3 and NCP, but those issues are already covered by CVE-2007-6111. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6438 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-6439 CVE STATUS: Patched CVE SUMMARY: Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (infinite or large loop) via the (1) IPv6 or (2) USB dissector, which can trigger resource consumption or a crash. NOTE: this identifier originally included Firebird/Interbase, but it is already covered by CVE-2007-6116. The DCP ETSI issue is already covered by CVE-2007-6119. CVSS v2 BASE SCORE: 6.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6439 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-6441 CVE STATUS: Patched CVE SUMMARY: The WiMAX dissector in Wireshark (formerly Ethereal) 0.99.6 allows remote attackers to cause a denial of service (crash) via unknown vectors related to "unaligned access on some platforms." CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6441 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-6450 CVE STATUS: Patched CVE SUMMARY: The RPL dissector in Wireshark (formerly Ethereal) 0.9.8 to 0.99.6 allows remote attackers to cause a denial of service (infinite loop) via unknown vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6450 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2007-6451 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the CIP dissector in Wireshark (formerly Ethereal) 0.9.14 to 0.99.6 allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger allocation of large amounts of memory. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6451 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-1070 CVE STATUS: Patched CVE SUMMARY: The SCTP dissector in Wireshark (formerly Ethereal) 0.99.5 through 0.99.7 allows remote attackers to cause a denial of service (crash) via a malformed packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1070 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-1071 CVE STATUS: Patched CVE SUMMARY: The SNMP dissector in Wireshark (formerly Ethereal) 0.99.6 through 0.99.7 allows remote attackers to cause a denial of service (crash) via a malformed packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1071 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-1072 CVE STATUS: Patched CVE SUMMARY: The TFTP dissector in Wireshark (formerly Ethereal) 0.6.0 through 0.99.7, when running on Ubuntu 7.10, allows remote attackers to cause a denial of service (crash or memory consumption) via a malformed packet, possibly related to a Cairo library bug. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1072 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-1561 CVE STATUS: Patched CVE SUMMARY: Multiple unspecified vulnerabilities in Wireshark (formerly Ethereal) 0.99.5 through 0.99.8 allow remote attackers to cause a denial of service (application crash) via a malformed packet to the (1) X.509sat or (2) Roofnet dissectors. NOTE: Vector 2 might also lead to a hang. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1561 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-1562 CVE STATUS: Patched CVE SUMMARY: The LDAP dissector in Wireshark (formerly Ethereal) 0.99.2 through 0.99.8 allows remote attackers to cause a denial of service (application crash) via a malformed packet, a different vulnerability than CVE-2006-5740. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1562 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-1563 CVE STATUS: Patched CVE SUMMARY: The "decode as" feature in packet-bssap.c in the SCCP dissector in Wireshark (formerly Ethereal) 0.99.6 through 0.99.8 allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1563 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-3137 CVE STATUS: Patched CVE SUMMARY: The GSM SMS dissector in Wireshark (formerly Ethereal) 0.99.2 through 1.0.0 allows remote attackers to cause a denial of service (application crash) via unknown vectors. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3137 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-3138 CVE STATUS: Patched CVE SUMMARY: The (1) PANA and (2) KISMET dissectors in Wireshark (formerly Ethereal) 0.99.3 through 1.0.0 allow remote attackers to cause a denial of service (application stop) via unknown vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3138 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-3139 CVE STATUS: Patched CVE SUMMARY: The RTMPT dissector in Wireshark (formerly Ethereal) 0.99.8 through 1.0.0 allows remote attackers to cause a denial of service (crash) via unknown vectors. NOTE: this might be due to a use-after-free error. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3139 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-3140 CVE STATUS: Patched CVE SUMMARY: The syslog dissector in Wireshark (formerly Ethereal) 1.0.0 allows remote attackers to cause a denial of service (application crash) via unknown vectors, possibly related to an "incomplete SS7 MSU syslog encapsulated packet." CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3140 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-3141 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the RMI dissector in Wireshark (formerly Ethereal) 0.9.5 through 1.0.0 allows remote attackers to read system memory via unspecified vectors. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3141 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-3145 CVE STATUS: Patched CVE SUMMARY: The fragment_add_work function in epan/reassemble.c in Wireshark 0.8.19 through 1.0.1 allows remote attackers to cause a denial of service (crash) via a series of fragmented packets with non-sequential fragmentation offset values, which lead to a buffer over-read. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3145 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-3146 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in packet_ncp2222.inc in Wireshark (formerly Ethereal) 0.9.7 through 1.0.2 allow attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted NCP packet that causes an invalid pointer to be used. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3146 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-3932 CVE STATUS: Patched CVE SUMMARY: Wireshark (formerly Ethereal) 0.9.7 through 1.0.2 allows attackers to cause a denial of service (hang) via a crafted NCP packet that triggers an infinite loop. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3932 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-3933 CVE STATUS: Patched CVE SUMMARY: Wireshark (formerly Ethereal) 0.10.14 through 1.0.2 allows attackers to cause a denial of service (crash) via a packet with crafted zlib-compressed data that triggers an invalid read in the tvb_uncompress function. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3933 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-3934 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in Wireshark (formerly Ethereal) 0.99.6 through 1.0.2 allows attackers to cause a denial of service (crash) via a crafted Tektronix .rf5 file. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3934 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-4680 CVE STATUS: Patched CVE SUMMARY: packet-usb.c in the USB dissector in Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via a malformed USB Request Block (URB). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4680 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-4681 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the Bluetooth RFCOMM dissector in Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via unknown packets. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4681 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-4682 CVE STATUS: Patched CVE SUMMARY: wtap.c in Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a denial of service (application abort) via a malformed Tamos CommView capture file (aka .ncf file) with an "unknown/unexpected packet type" that triggers a failed assertion. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4682 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-4683 CVE STATUS: Patched CVE SUMMARY: The dissect_btacl function in packet-bthci_acl.c in the Bluetooth ACL dissector in Wireshark 0.99.2 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via a packet with an invalid length, related to an erroneous tvb_memcpy call. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4683 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-4684 CVE STATUS: Patched CVE SUMMARY: packet-frame in Wireshark 0.99.2 through 1.0.3 does not properly handle exceptions thrown by post dissectors, which allows remote attackers to cause a denial of service (application crash) via a certain series of packets, as demonstrated by enabling the (1) PRP or (2) MATE post dissector. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4684 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-4685 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the dissect_q931_cause_ie function in packet-q931.c in the Q.931 dissector in Wireshark 0.10.3 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via certain packets that trigger an exception. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4685 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-5285 CVE STATUS: Patched CVE SUMMARY: Wireshark 1.0.4 and earlier allows remote attackers to cause a denial of service via a long SMTP request, which triggers an infinite loop. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5285 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2008-6472 CVE STATUS: Patched CVE SUMMARY: The WLCCP dissector in Wireshark 0.99.7 through 1.0.4 allows remote attackers to cause a denial of service (infinite loop) via unspecified vectors. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-6472 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-0599 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in wiretap/netscreen.c in Wireshark 0.99.7 through 1.0.5 allows user-assisted remote attackers to cause a denial of service (application crash) via a malformed NetScreen snoop file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0599 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-0600 CVE STATUS: Patched CVE SUMMARY: Wireshark 0.99.6 through 1.0.5 allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted Tektronix K12 text capture file, as demonstrated by a file with exactly one frame. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0600 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-0601 CVE STATUS: Patched CVE SUMMARY: Format string vulnerability in Wireshark 0.99.8 through 1.0.5 on non-Windows platforms allows local users to cause a denial of service (application crash) via format string specifiers in the HOME environment variable. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0601 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-1210 CVE STATUS: Patched CVE SUMMARY: Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in Wireshark 1.0.6 and earlier allows remote attackers to execute arbitrary code via a PN-DCP packet with format string specifiers in the station name. NOTE: some of these details are obtained from third party information. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1210 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-1266 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in Wireshark before 1.0.7 has unknown impact and attack vectors. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1266 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-1267 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the LDAP dissector in Wireshark 0.99.2 through 1.0.6, when running on Windows, allows remote attackers to cause a denial of service (crash) via unknown attack vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1267 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-1268 CVE STATUS: Patched CVE SUMMARY: The Check Point High-Availability Protocol (CPHAP) dissector in Wireshark 0.9.6 through 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted FWHA_MY_STATE packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1268 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-1269 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in Wireshark 0.99.6 through 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted Tektronix .rf5 file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1269 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-1829 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the PCNFSD dissector in Wireshark 0.8.20 through 1.0.7 allows remote attackers to cause a denial of service (crash) via crafted PCNFSD packets. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1829 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-2559 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the IPMI dissector in Wireshark 1.2.0 allows remote attackers to cause a denial of service (crash) via unspecified vectors related to an array index error. NOTE: some of these details are obtained from third party information. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2559 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-2560 CVE STATUS: Patched CVE SUMMARY: Multiple unspecified vulnerabilities in Wireshark 1.2.0 allow remote attackers to cause a denial of service (application crash) via a file that records a malformed packet trace and is processed by the (1) Bluetooth L2CAP, (2) RADIUS, or (3) MIOP dissector. NOTE: it was later reported that the RADIUS issue also affects 0.10.13 through 1.0.9. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2560 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-2561 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the sFlow dissector in Wireshark 1.2.0 allows remote attackers to cause a denial of service (CPU and memory consumption) via unspecified vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2561 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-2562 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the AFS dissector in Wireshark 0.9.2 through 1.2.0 allows remote attackers to cause a denial of service (crash) via unknown vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2562 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-2563 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the Infiniband dissector in Wireshark 1.0.6 through 1.2.0, when running on unspecified platforms, allows remote attackers to cause a denial of service (crash) via unknown vectors. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2563 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-3241 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the OpcUa (OPC UA) dissector in Wireshark 0.99.6 through 1.0.8 and 1.2.0 through 1.2.1 allows remote attackers to cause a denial of service (memory and CPU consumption) via malformed OPCUA Service CallRequest packets. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3241 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-3242 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in packet.c in the GSM A RR dissector in Wireshark 1.2.0 and 1.2.1 allows remote attackers to cause a denial of service (application crash) via unknown vectors related to "an uninitialized dissector handle," which triggers an assertion failure. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3242 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-3243 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the TLS dissector in Wireshark 1.2.0 and 1.2.1, when running on Windows, allows remote attackers to cause a denial of service (application crash) via unknown vectors related to TLS 1.2 conversations. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3243 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-3549 CVE STATUS: Patched CVE SUMMARY: packet-paltalk.c in the Paltalk dissector in Wireshark 1.2.0 through 1.2.2, on SPARC and certain other platforms, allows remote attackers to cause a denial of service (application crash) via a file that records a malformed packet trace. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3549 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-3550 CVE STATUS: Patched CVE SUMMARY: The DCERPC/NT dissector in Wireshark 0.10.10 through 1.0.9 and 1.2.0 through 1.2.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a file that records a malformed packet trace. NOTE: some of these details are obtained from third party information. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3550 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-3551 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the dissect_negprot_response function in packet-smb.c in the SMB dissector in Wireshark 1.2.0 through 1.2.2 allows remote attackers to cause a denial of service (application crash) via a file that records a malformed packet trace. NOTE: some of these details are obtained from third party information. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3551 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-3829 CVE STATUS: Patched CVE SUMMARY: Integer overflow in wiretap/erf.c in Wireshark before 1.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted erf file, related to an "unsigned integer wrap vulnerability." CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3829 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-4376 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the daintree_sna_read function in the Daintree SNA file parser in Wireshark 1.2.0 through 1.2.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4376 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-4377 CVE STATUS: Patched CVE SUMMARY: The (1) SMB and (2) SMB2 dissectors in Wireshark 0.9.0 through 1.2.4 allow remote attackers to cause a denial of service (crash) via a crafted packet that triggers a NULL pointer dereference, as demonstrated by fuzz-2009-12-07-11141.pcap. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4377 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2009-4378 CVE STATUS: Patched CVE SUMMARY: The IPMI dissector in Wireshark 1.2.0 through 1.2.4 on Windows allows remote attackers to cause a denial of service (crash) via a crafted packet, related to "formatting a date/time using strftime." CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4378 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2010-0304 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allow remote attackers to cause a denial of service (crash) via a malformed packet, as demonstrated using a stack-based buffer overflow to the dissect_getaddrsbyname_request function. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0304 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2010-1455 CVE STATUS: Patched CVE SUMMARY: The DOCSIS dissector in Wireshark 0.9.6 through 1.0.12 and 1.2.0 through 1.2.7 allows user-assisted remote attackers to cause a denial of service (application crash) via a malformed packet trace file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1455 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2010-2283 CVE STATUS: Patched CVE SUMMARY: The SMB dissector in Wireshark 0.99.6 through 1.0.13, and 1.2.0 through 1.2.8 allows remote attackers to cause a denial of service (NULL pointer dereference) via unknown vectors. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2283 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2010-2284 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the ASN.1 BER dissector in Wireshark 0.10.13 through 1.0.13 and 1.2.0 through 1.2.8 has unknown impact and remote attack vectors. CVSS v2 BASE SCORE: 8.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2284 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2010-2285 CVE STATUS: Patched CVE SUMMARY: The SMB PIPE dissector in Wireshark 0.8.20 through 1.0.13 and 1.2.0 through 1.2.8 allows remote attackers to cause a denial of service (NULL pointer dereference) via unknown vectors. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2285 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2010-2286 CVE STATUS: Patched CVE SUMMARY: The SigComp Universal Decompressor Virtual Machine dissector in Wireshark 0.10.7 through 1.0.13 and 1.2.0 through 1.2.8 allows remote attackers to cause a denial of service (infinite loop) via unknown vectors. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2286 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2010-2287 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the SigComp Universal Decompressor Virtual Machine dissector in Wireshark 0.10.8 through 1.0.13 and 1.2.0 through 1.2.8 has unknown impact and remote attack vectors. CVSS v2 BASE SCORE: 8.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2287 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2010-2992 CVE STATUS: Patched CVE SUMMARY: packet-gsm_a_rr.c in the GSM A RR dissector in Wireshark 1.2.2 through 1.2.9 allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger a NULL pointer dereference. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2992 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2010-2993 CVE STATUS: Patched CVE SUMMARY: The IPMI dissector in Wireshark 1.2.0 through 1.2.9 allows remote attackers to cause a denial of service (infinite loop) via unknown vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2993 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2010-2994 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the ASN.1 BER dissector in Wireshark 0.10.13 through 1.0.14 and 1.2.0 through 1.2.9 has unknown impact and remote attack vectors. NOTE: this issue exists because of a CVE-2010-2284 regression. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2994 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2010-2995 CVE STATUS: Patched CVE SUMMARY: The SigComp Universal Decompressor Virtual Machine (UDVM) in Wireshark 0.10.8 through 1.0.14 and 1.2.0 through 1.2.9 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to sigcomp-udvm.c and an off-by-one error, which triggers a buffer overflow, different vulnerabilities than CVE-2010-2287. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2995 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2010-3133 CVE STATUS: Patched CVE SUMMARY: Untrusted search path vulnerability in Wireshark 0.8.4 through 1.0.15 and 1.2.0 through 1.2.10 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse airpcap.dll, and possibly other DLLs, that is located in the same folder as a file that automatically launches Wireshark. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3133 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2010-3445 CVE STATUS: Patched CVE SUMMARY: Stack consumption vulnerability in the dissect_ber_unknown function in epan/dissectors/packet-ber.c in the BER dissector in Wireshark 1.4.x before 1.4.1 and 1.2.x before 1.2.12 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a long string in an unknown ASN.1/BER encoded packet, as demonstrated using SNMP. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3445 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2010-4300 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the dissect_ldss_transfer function (epan/dissectors/packet-ldss.c) in the LDSS dissector in Wireshark 1.2.0 through 1.2.12 and 1.4.0 through 1.4.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an LDSS packet with a long digest line that triggers memory corruption. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4300 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2010-4301 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-zbee-zcl.c in the ZigBee ZCL dissector in Wireshark 1.4.0 through 1.4.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted ZCL packet, related to Discover Attributes. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4301 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2010-4538 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the sect_enttec_dmx_da function in epan/dissectors/packet-enttec.c in Wireshark 1.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ENTTEC DMX packet with Run Length Encoding (RLE) compression. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4538 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-0024 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in wiretap/pcapng.c in Wireshark before 1.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted capture file. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0024 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-0444 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the MAC-LTE dissector (epan/dissectors/packet-mac-lte.c) in Wireshark 1.2.0 through 1.2.13 and 1.4.0 through 1.4.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of RARs. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0444 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-0445 CVE STATUS: Patched CVE SUMMARY: The ASN.1 BER dissector in Wireshark 1.4.0 through 1.4.2 allows remote attackers to cause a denial of service (assertion failure) via crafted packets, as demonstrated by fuzz-2010-12-30-28473.pcap. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0445 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-0538 CVE STATUS: Patched CVE SUMMARY: Wireshark 1.2.0 through 1.2.14, 1.4.0 through 1.4.3, and 1.5.0 frees an uninitialized pointer during processing of a .pcap file in the pcap-ng format, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0538 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-0713 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in wiretap/dct3trace.c in Wireshark 1.2.0 through 1.2.14 and 1.4.0 through 1.4.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long record in a Nokia DCT3 trace file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0713 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-1138 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the dissect_6lowpan_iphc function in packet-6lowpan.c in Wireshark 1.4.0 through 1.4.3 on 32-bit platforms allows remote attackers to cause a denial of service (application crash) via a malformed 6LoWPAN IPv6 packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1138 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-1139 CVE STATUS: Patched CVE SUMMARY: wiretap/pcapng.c in Wireshark 1.2.0 through 1.2.14 and 1.4.0 through 1.4.3 allows remote attackers to cause a denial of service (application crash) via a pcap-ng file that contains a large packet-length field. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1139 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-1140 CVE STATUS: Patched CVE SUMMARY: Multiple stack consumption vulnerabilities in the dissect_ms_compressed_string and dissect_mscldap_string functions in Wireshark 1.0.x, 1.2.0 through 1.2.14, and 1.4.0 through 1.4.3 allow remote attackers to cause a denial of service (infinite recursion) via a crafted (1) SMB or (2) Connection-less LDAP (CLDAP) packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1140 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-1141 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-ldap.c in Wireshark 1.0.x, 1.2.0 through 1.2.14, and 1.4.0 through 1.4.3 allows remote attackers to cause a denial of service (memory consumption) via (1) a long LDAP filter string or (2) an LDAP filter string containing many elements. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1141 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-1142 CVE STATUS: Patched CVE SUMMARY: Stack consumption vulnerability in the dissect_ber_choice function in the BER dissector in Wireshark 1.2.x through 1.2.15 and 1.4.x through 1.4.4 might allow remote attackers to cause a denial of service (infinite loop) via vectors involving self-referential ASN.1 CHOICE values. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1142 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-1143 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-ntlmssp.c in the NTLMSSP dissector in Wireshark before 1.4.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted .pcap file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1143 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-1590 CVE STATUS: Patched CVE SUMMARY: The X.509if dissector in Wireshark 1.2.x before 1.2.16 and 1.4.x before 1.4.5 does not properly initialize certain global variables, which allows remote attackers to cause a denial of service (application crash) via a crafted .pcap file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1590 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-1591 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the DECT dissector in epan/dissectors/packet-dect.c in Wireshark 1.4.x before 1.4.5 allows remote attackers to execute arbitrary code via a crafted .pcap file. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1591 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-1592 CVE STATUS: Patched CVE SUMMARY: The NFS dissector in epan/dissectors/packet-nfs.c in Wireshark 1.4.x before 1.4.5 on Windows uses an incorrect integer data type during decoding of SETCLIENTID calls, which allows remote attackers to cause a denial of service (application crash) via a crafted .pcap file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1592 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-1956 CVE STATUS: Patched CVE SUMMARY: The bytes_repr_len function in Wireshark 1.4.5 uses an incorrect pointer argument, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via arbitrary TCP traffic. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1956 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-1957 CVE STATUS: Patched CVE SUMMARY: The dissect_dcm_main function in epan/dissectors/packet-dcm.c in the DICOM dissector in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows remote attackers to cause a denial of service (infinite loop) via an invalid PDU length. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1957 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-1958 CVE STATUS: Patched CVE SUMMARY: Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Diameter dictionary file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1958 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-1959 CVE STATUS: Patched CVE SUMMARY: The snoop_read function in wiretap/snoop.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 does not properly handle certain virtualizable buffers, which allows remote attackers to cause a denial of service (application crash) via a large length value in a snoop file that triggers a stack-based buffer over-read. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1959 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-2174 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in the tvb_uncompress function in epan/tvbuff.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows remote attackers to cause a denial of service (application crash) via a packet with malformed data that uses zlib compression. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2174 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-2175 CVE STATUS: Patched CVE SUMMARY: Integer underflow in the visual_read function in wiretap/visual.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows remote attackers to cause a denial of service (application crash) via a malformed Visual Networks file that triggers a heap-based buffer over-read. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2175 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-2597 CVE STATUS: Patched CVE SUMMARY: The Lucent/Ascend file parser in Wireshark 1.2.x before 1.2.18, 1.4.x through 1.4.7, and 1.6.0 allows remote attackers to cause a denial of service (infinite loop) via malformed packets. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2597 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-2698 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the elem_cell_id_aux function in epan/dissectors/packet-ansi_a.c in the ANSI MAP dissector in Wireshark 1.4.x before 1.4.8 and 1.6.x before 1.6.1 allows remote attackers to cause a denial of service (infinite loop) via an invalid packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2698 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-3266 CVE STATUS: Patched CVE SUMMARY: The proto_tree_add_item function in Wireshark 1.6.0 through 1.6.1 and 1.4.0 through 1.4.8, when the IKEv1 protocol dissector is used, allows user-assisted remote attackers to cause a denial of service (infinite loop) via vectors involving a malformed IKE packet and many items in a tree. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3266 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-3360 CVE STATUS: Patched CVE SUMMARY: Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script in an unspecified directory. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3360 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-3482 CVE STATUS: Patched CVE SUMMARY: The csnStreamDissector function in epan/dissectors/packet-csn1.c in the CSN.1 dissector in Wireshark 1.6.x before 1.6.2 does not initialize a certain structure member, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3482 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-3483 CVE STATUS: Patched CVE SUMMARY: Wireshark 1.6.x before 1.6.2 allows remote attackers to cause a denial of service (application crash) via a malformed capture file that leads to an invalid root tvbuff, related to a "buffer exception handling vulnerability." CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3483 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-3484 CVE STATUS: Patched CVE SUMMARY: The unxorFrame function in epan/dissectors/packet-opensafety.c in the OpenSafety dissector in Wireshark 1.6.x before 1.6.2 does not properly validate a certain frame size, which allows remote attackers to cause a denial of service (loop and application crash) via a malformed packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3484 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-4100 CVE STATUS: Patched CVE SUMMARY: The csnStreamDissector function in epan/dissectors/packet-csn1.c in the CSN.1 dissector in Wireshark 1.6.x before 1.6.3 does not initialize a certain variable, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4100 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-4101 CVE STATUS: Patched CVE SUMMARY: The dissect_infiniband_common function in epan/dissectors/packet-infiniband.c in the Infiniband dissector in Wireshark 1.4.0 through 1.4.9 and 1.6.x before 1.6.3 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4101 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2011-4102 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the erf_read_header function in wiretap/erf.c in the ERF file parser in Wireshark 1.4.0 through 1.4.9 and 1.6.x before 1.6.3 allows remote attackers to cause a denial of service (application crash) via a malformed file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4102 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-0041 CVE STATUS: Patched CVE SUMMARY: The dissect_packet function in epan/packet.c in Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 allows remote attackers to cause a denial of service (application crash) via a long packet in a capture file, as demonstrated by an airopeek file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0041 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-0042 CVE STATUS: Patched CVE SUMMARY: Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 does not properly perform certain string conversions, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted packet, related to epan/to_str.c. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0042 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-0043 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the reassemble_message function in epan/dissectors/packet-rlc.c in the RLC dissector in Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a series of fragmented RLC packets. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0043 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-0066 CVE STATUS: Patched CVE SUMMARY: Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 allows remote attackers to cause a denial of service (application crash) via a long packet in a (1) Accellent 5Views (aka .5vw) file, (2) I4B trace file, or (3) NETMON 2 capture file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0066 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-0067 CVE STATUS: Patched CVE SUMMARY: wiretap/iptrace.c in Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 allows remote attackers to cause a denial of service (application crash) via a long packet in an AIX iptrace file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0067 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-0068 CVE STATUS: Patched CVE SUMMARY: The lanalyzer_read function in wiretap/lanalyzer.c in Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 allows remote attackers to cause a denial of service (application crash) via a Novell capture file containing a record that is too small. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0068 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-1593 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-ansi_a.c in the ANSI A dissector in Wireshark 1.4.x before 1.4.12 and 1.6.x before 1.6.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed packet. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1593 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-1594 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-ieee80211.c in the IEEE 802.11 dissector in Wireshark 1.6.x before 1.6.6 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1594 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-1595 CVE STATUS: Patched CVE SUMMARY: The pcap_process_pseudo_header function in wiretap/pcap-common.c in Wireshark 1.4.x before 1.4.12 and 1.6.x before 1.6.6 allows remote attackers to cause a denial of service (application crash) via a WTAP_ENCAP_ERF file containing an Extension or Multi-Channel header with an invalid pseudoheader size, related to the pcap and pcap-ng file parsers. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1595 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-1596 CVE STATUS: Patched CVE SUMMARY: The mp2t_process_fragmented_payload function in epan/dissectors/packet-mp2t.c in the MP2T dissector in Wireshark 1.4.x before 1.4.12 and 1.6.x before 1.6.6 allows remote attackers to cause a denial of service (application crash) via a packet containing an invalid pointer value that triggers an incorrect memory-allocation attempt. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1596 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-2392 CVE STATUS: Patched CVE SUMMARY: Wireshark 1.4.x before 1.4.13 and 1.6.x before 1.6.8 allows remote attackers to cause a denial of service (infinite loop) via vectors related to the (1) ANSI MAP, (2) ASF, (3) IEEE 802.11, (4) IEEE 802.3, and (5) LTP dissectors. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2392 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-2393 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-diameter.c in the DIAMETER dissector in Wireshark 1.4.x before 1.4.13 and 1.6.x before 1.6.8 does not properly construct certain array data structures, which allows remote attackers to cause a denial of service (application crash) via a crafted packet that triggers incorrect memory allocation. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2393 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-2394 CVE STATUS: Patched CVE SUMMARY: Wireshark 1.4.x before 1.4.13 and 1.6.x before 1.6.8 on the SPARC and Itanium platforms does not properly perform data alignment for a certain structure member, which allows remote attackers to cause a denial of service (application crash) via a (1) ICMP or (2) ICMPv6 Echo Request packet. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2394 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-3548 CVE STATUS: Patched CVE SUMMARY: The dissect_drda function in epan/dissectors/packet-drda.c in Wireshark 1.6.x through 1.6.10 and 1.8.x through 1.8.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a small value for a certain length field in a capture file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3548 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-3825 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in Wireshark 1.4.x before 1.4.13 and 1.6.x before 1.6.8 allow remote attackers to cause a denial of service (infinite loop) via vectors related to the (1) BACapp and (2) Bluetooth HCI dissectors, a different vulnerability than CVE-2012-2392. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3825 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-3826 CVE STATUS: Patched CVE SUMMARY: Multiple integer underflows in Wireshark 1.4.x before 1.4.13 and 1.6.x before 1.6.8 allow remote attackers to cause a denial of service (loop) via vectors related to the R3 dissector, a different vulnerability than CVE-2012-2392. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3826 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-4048 CVE STATUS: Patched CVE SUMMARY: The PPP dissector in Wireshark 1.4.x before 1.4.14, 1.6.x before 1.6.9, and 1.8.x before 1.8.1 allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via a crafted packet, as demonstrated by a usbmon dump. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4048 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-4049 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-nfs.c in the NFS dissector in Wireshark 1.4.x before 1.4.14, 1.6.x before 1.6.9, and 1.8.x before 1.8.1 allows remote attackers to cause a denial of service (loop and CPU consumption) via a crafted packet. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4049 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-4285 CVE STATUS: Patched CVE SUMMARY: The dissect_pft function in epan/dissectors/packet-dcp-etsi.c in the DCP ETSI dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.10, and 1.8.x before 1.8.2 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a zero-length message. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4285 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-4286 CVE STATUS: Patched CVE SUMMARY: The pcapng_read_packet_block function in wiretap/pcapng.c in the pcap-ng file parser in Wireshark 1.8.x before 1.8.2 allows user-assisted remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted pcap-ng file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4286 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-4287 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-mongo.c in the MongoDB dissector in Wireshark 1.8.x before 1.8.2 allows remote attackers to cause a denial of service (loop and CPU consumption) via a small value for a BSON document length. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4287 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-4288 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the dissect_xtp_ecntl function in epan/dissectors/packet-xtp.c in the XTP dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.10, and 1.8.x before 1.8.2 allows remote attackers to cause a denial of service (loop or application crash) via a large value for a span length. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4288 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-4289 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-afp.c in the AFP dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.10, and 1.8.x before 1.8.2 allows remote attackers to cause a denial of service (loop and CPU consumption) via a large number of ACL entries. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4289 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-4290 CVE STATUS: Patched CVE SUMMARY: The CTDB dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.10, and 1.8.x before 1.8.2 allows remote attackers to cause a denial of service (loop and CPU consumption) via a malformed packet. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4290 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-4291 CVE STATUS: Patched CVE SUMMARY: The CIP dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.10, and 1.8.x before 1.8.2 allows remote attackers to cause a denial of service (memory consumption) via a malformed packet. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4291 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-4292 CVE STATUS: Patched CVE SUMMARY: The dissect_stun_message function in epan/dissectors/packet-stun.c in the STUN dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.10, and 1.8.x before 1.8.2 does not properly interact with key-destruction behavior in a certain tree library, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4292 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-4293 CVE STATUS: Patched CVE SUMMARY: plugins/ethercat/packet-ecatmb.c in the EtherCAT Mailbox dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.10, and 1.8.x before 1.8.2 does not properly handle certain integer fields, which allows remote attackers to cause a denial of service (application exit) via a malformed packet. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4293 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-4294 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the channelised_fill_sdh_g707_format function in epan/dissectors/packet-erf.c in the ERF dissector in Wireshark 1.8.x before 1.8.2 allows remote attackers to execute arbitrary code via a large speed (aka rate) value. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4294 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-4295 CVE STATUS: Patched CVE SUMMARY: Array index error in the channelised_fill_sdh_g707_format function in epan/dissectors/packet-erf.c in the ERF dissector in Wireshark 1.8.x before 1.8.2 might allow remote attackers to cause a denial of service (application crash) via a crafted speed (aka rate) value. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4295 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-4296 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in epan/dissectors/packet-rtps2.c in the RTPS2 dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.10, and 1.8.x before 1.8.2 allows remote attackers to cause a denial of service (CPU consumption) via a malformed packet. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4296 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-4297 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the dissect_gsm_rlcmac_downlink function in epan/dissectors/packet-gsm_rlcmac.c in the GSM RLC MAC dissector in Wireshark 1.6.x before 1.6.10 and 1.8.x before 1.8.2 allows remote attackers to execute arbitrary code via a malformed packet. CVSS v2 BASE SCORE: 8.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4297 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-4298 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in the vwr_read_rec_data_ethernet function in wiretap/vwr.c in the Ixia IxVeriWave file parser in Wireshark 1.8.x before 1.8.2 allows user-assisted remote attackers to execute arbitrary code via a crafted packet-trace file that triggers a buffer overflow. CVSS v2 BASE SCORE: 5.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4298 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-5237 CVE STATUS: Patched CVE SUMMARY: The dissect_hsrp function in epan/dissectors/packet-hsrp.c in the HSRP dissector in Wireshark 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5237 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-5238 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-ppp.c in the PPP dissector in Wireshark 1.8.x before 1.8.3 uses incorrect OUI data structures during the decoding of (1) PPP and (2) LCP data, which allows remote attackers to cause a denial of service (assertion failure and application exit) via a malformed packet. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5238 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-5240 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the dissect_tlv function in epan/dissectors/packet-ldp.c in the LDP dissector in Wireshark 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a malformed packet. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5240 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-6052 CVE STATUS: Patched CVE SUMMARY: Wireshark 1.8.x before 1.8.4 allows remote attackers to obtain sensitive hostname information by reading pcap-ng files. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6052 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-6053 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-usb.c in the USB dissector in Wireshark 1.6.x before 1.6.12 and 1.8.x before 1.8.4 relies on a length field to calculate an offset value, which allows remote attackers to cause a denial of service (infinite loop) via a zero value for this field. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6053 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-6054 CVE STATUS: Patched CVE SUMMARY: The dissect_sflow_245_address_type function in epan/dissectors/packet-sflow.c in the sFlow dissector in Wireshark 1.8.x before 1.8.4 does not properly handle length calculations for an invalid IP address type, which allows remote attackers to cause a denial of service (infinite loop) via a packet that is neither IPv4 nor IPv6. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6054 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-6055 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-3g-a11.c in the 3GPP2 A11 dissector in Wireshark 1.8.x before 1.8.4 allows remote attackers to cause a denial of service (infinite loop) via a zero value in a sub-type length field. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6055 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-6056 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the dissect_sack_chunk function in epan/dissectors/packet-sctp.c in the SCTP dissector in Wireshark 1.8.x before 1.8.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted Duplicate TSN count. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6056 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-6057 CVE STATUS: Patched CVE SUMMARY: The dissect_eigrp_metric_comm function in epan/dissectors/packet-eigrp.c in the EIGRP dissector in Wireshark 1.8.x before 1.8.4 uses the wrong data type for a certain offset value, which allows remote attackers to cause a denial of service (integer overflow and infinite loop) via a malformed packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6057 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-6058 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the dissect_icmpv6 function in epan/dissectors/packet-icmpv6.c in the ICMPv6 dissector in Wireshark 1.6.x before 1.6.12 and 1.8.x before 1.8.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted Number of Sources value. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6058 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-6059 CVE STATUS: Patched CVE SUMMARY: The dissect_isakmp function in epan/dissectors/packet-isakmp.c in the ISAKMP dissector in Wireshark 1.6.x before 1.6.12 and 1.8.x before 1.8.4 uses an incorrect data structure to determine IKEv2 decryption parameters, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6059 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-6060 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the dissect_iscsi_pdu function in epan/dissectors/packet-iscsi.c in the iSCSI dissector in Wireshark 1.6.x before 1.6.12 and 1.8.x before 1.8.4 allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6060 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-6061 CVE STATUS: Patched CVE SUMMARY: The dissect_wtp_common function in epan/dissectors/packet-wtp.c in the WTP dissector in Wireshark 1.6.x before 1.6.12 and 1.8.x before 1.8.4 uses an incorrect data type for a certain length field, which allows remote attackers to cause a denial of service (integer overflow and infinite loop) via a crafted value in a packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6061 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2012-6062 CVE STATUS: Patched CVE SUMMARY: The dissect_rtcp_app function in epan/dissectors/packet-rtcp.c in the RTCP dissector in Wireshark 1.6.x before 1.6.12 and 1.8.x before 1.8.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6062 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-1572 CVE STATUS: Patched CVE SUMMARY: The dissect_oampdu_event_notification function in epan/dissectors/packet-slowprotocols.c in the IEEE 802.3 Slow Protocols dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle certain short lengths, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1572 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-1573 CVE STATUS: Patched CVE SUMMARY: The csnStreamDissector function in epan/dissectors/packet-csn1.c in the CSN.1 dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle a large number of padding bits, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1573 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-1574 CVE STATUS: Patched CVE SUMMARY: The dissect_bthci_eir_ad_data function in epan/dissectors/packet-bthci_cmd.c in the Bluetooth HCI dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 uses an incorrect data type for a counter variable, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1574 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-1575 CVE STATUS: Patched CVE SUMMARY: The dissect_r3_cmd_alarmconfigure function in epan/dissectors/packet-assa_r3.c in the R3 dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle a certain alarm length, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1575 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-1576 CVE STATUS: Patched CVE SUMMARY: The dissect_sdp_media_attribute function in epan/dissectors/packet-sdp.c in the SDP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly process crypto-suite parameters, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1576 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-1577 CVE STATUS: Patched CVE SUMMARY: The dissect_sip_p_charging_func_addresses function in epan/dissectors/packet-sip.c in the SIP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle offset data associated with a quoted string, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1577 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-1578 CVE STATUS: Patched CVE SUMMARY: The dissect_pw_eth_heuristic function in epan/dissectors/packet-pw-eth.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle apparent Ethernet address values at the beginning of MPLS data, which allows remote attackers to cause a denial of service (loop) via a malformed packet. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1578 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-1579 CVE STATUS: Patched CVE SUMMARY: The rtps_util_add_bitmap function in epan/dissectors/packet-rtps.c in the RTPS dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly implement certain nested loops for processing bitmap data, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1579 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-1580 CVE STATUS: Patched CVE SUMMARY: The dissect_cmstatus_tlv function in plugins/docsis/packet-cmstatus.c in the DOCSIS CM-STATUS dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 uses an incorrect data type for a position variable, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1580 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-1581 CVE STATUS: Patched CVE SUMMARY: The dissect_pft_fec_detailed function in epan/dissectors/packet-dcp-etsi.c in the DCP-ETSI dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle fragment gaps, which allows remote attackers to cause a denial of service (loop) via a malformed packet. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1581 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-1582 CVE STATUS: Patched CVE SUMMARY: The dissect_clnp function in epan/dissectors/packet-clnp.c in the CLNP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly manage an offset variable, which allows remote attackers to cause a denial of service (infinite loop or application crash) via a malformed packet. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1582 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-1583 CVE STATUS: Patched CVE SUMMARY: The dissect_version_4_primary_header function in epan/dissectors/packet-dtn.c in the DTN dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 accesses an inappropriate pointer, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1583 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-1584 CVE STATUS: Patched CVE SUMMARY: The dissect_version_5_and_6_primary_header function in epan/dissectors/packet-dtn.c in the DTN dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 accesses an inappropriate pointer, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1584 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-1585 CVE STATUS: Patched CVE SUMMARY: epan/tvbuff.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly validate certain length values for the MS-MMC dissector, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1585 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-1586 CVE STATUS: Patched CVE SUMMARY: The fragment_set_tot_len function in epan/reassemble.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly determine the length of a reassembled packet for the DTLS dissector, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1586 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-1587 CVE STATUS: Patched CVE SUMMARY: The dissect_rohc_ir_packet function in epan/dissectors/packet-rohc.c in the ROHC dissector in Wireshark 1.8.x before 1.8.5 does not properly handle unknown profiles, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1587 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-1588 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in the dissect_pft_fec_detailed function in the DCP-ETSI dissector in epan/dissectors/packet-dcp-etsi.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 allow remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1588 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-1589 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in epan/proto.c in the dissection engine in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1589 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-1590 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the NTLMSSP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1590 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-2475 CVE STATUS: Patched CVE SUMMARY: The TCP dissector in Wireshark 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2475 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-2476 CVE STATUS: Patched CVE SUMMARY: The dissect_hartip function in epan/dissectors/packet-hartip.c in the HART/IP dissector in Wireshark 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via a packet with a header that is too short. CVSS v2 BASE SCORE: 6.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2476 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-2477 CVE STATUS: Patched CVE SUMMARY: The CSN.1 dissector in Wireshark 1.8.x before 1.8.6 does not properly manage function pointers, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2477 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-2478 CVE STATUS: Patched CVE SUMMARY: The dissect_server_info function in epan/dissectors/packet-ms-mms.c in the MS-MMS dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 does not properly manage string lengths, which allows remote attackers to cause a denial of service (application crash) via a malformed packet that (1) triggers an integer overflow or (2) has embedded '\0' characters in a string. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2478 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-2479 CVE STATUS: Patched CVE SUMMARY: The dissect_mpls_echo_tlv_dd_map function in epan/dissectors/packet-mpls-echo.c in the MPLS Echo dissector in Wireshark 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via invalid Sub-tlv data. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2479 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-2480 CVE STATUS: Patched CVE SUMMARY: The RTPS and RTPS2 dissectors in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allow remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2480 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-2481 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in the dissect_mount_dirpath_call function in epan/dissectors/packet-mount.c in the Mount dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6, when nfs_file_name_snooping is enabled, allows remote attackers to cause a denial of service (application crash) via a negative length value. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2481 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-2482 CVE STATUS: Patched CVE SUMMARY: The AMPQ dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. CVSS v2 BASE SCORE: 6.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2482 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-2483 CVE STATUS: Patched CVE SUMMARY: The acn_add_dmp_data function in epan/dissectors/packet-acn.c in the ACN dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via an invalid count value in ACN_DMP_ADT_D_RE DMP data. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2483 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-2484 CVE STATUS: Patched CVE SUMMARY: The CIMD dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2484 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-2485 CVE STATUS: Patched CVE SUMMARY: The FCSP dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. CVSS v2 BASE SCORE: 6.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2485 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-2486 CVE STATUS: Patched CVE SUMMARY: The dissect_diagnosticrequest function in epan/dissectors/packet-reload.c in the REsource LOcation And Discovery (aka RELOAD) dissector in Wireshark 1.8.x before 1.8.6 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (infinite loop) via crafted integer values in a packet. CVSS v2 BASE SCORE: 6.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2486 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-2487 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-reload.c in the REsource LOcation And Discovery (aka RELOAD) dissector in Wireshark 1.8.x before 1.8.6 uses incorrect integer data types, which allows remote attackers to cause a denial of service (infinite loop) via crafted integer values in a packet, related to the (1) dissect_icecandidates, (2) dissect_kinddata, (3) dissect_nodeid_list, (4) dissect_storeans, (5) dissect_storereq, (6) dissect_storeddataspecifier, (7) dissect_fetchreq, (8) dissect_findans, (9) dissect_diagnosticinfo, (10) dissect_diagnosticresponse, (11) dissect_reload_messagecontents, and (12) dissect_reload_message functions, a different vulnerability than CVE-2013-2486. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2487 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-2488 CVE STATUS: Patched CVE SUMMARY: The DTLS dissector in Wireshark 1.6.x before 1.6.14 and 1.8.x before 1.8.6 does not validate the fragment offset before invoking the reassembly state machine, which allows remote attackers to cause a denial of service (application crash) via a large offset value that triggers write access to an invalid memory location. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2488 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-3555 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-gtpv2.c in the GTPv2 dissector in Wireshark 1.8.x before 1.8.7 calls incorrect functions in certain contexts related to ciphers, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3555 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-3556 CVE STATUS: Patched CVE SUMMARY: The fragment_add_seq_common function in epan/reassemble.c in the ASN.1 BER dissector in Wireshark before r48943 has an incorrect pointer dereference during a comparison, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3556 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-3557 CVE STATUS: Patched CVE SUMMARY: The dissect_ber_choice function in epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1.6.x before 1.6.15 and 1.8.x before 1.8.7 does not properly initialize a certain variable, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3557 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-3558 CVE STATUS: Patched CVE SUMMARY: The dissect_ccp_bsdcomp_opt function in epan/dissectors/packet-ppp.c in the PPP CCP dissector in Wireshark 1.8.x before 1.8.7 does not terminate a bit-field list, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3558 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-3559 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-dcp-etsi.c in the DCP ETSI dissector in Wireshark 1.8.x before 1.8.7 uses incorrect integer data types, which allows remote attackers to cause a denial of service (integer overflow, and heap memory corruption or NULL pointer dereference, and application crash) via a malformed packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3559 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-3560 CVE STATUS: Patched CVE SUMMARY: The dissect_dsmcc_un_download function in epan/dissectors/packet-mpeg-dsmcc.c in the MPEG DSM-CC dissector in Wireshark 1.8.x before 1.8.7 uses an incorrect format string, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3560 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-3561 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in Wireshark 1.8.x before 1.8.7 allow remote attackers to cause a denial of service (loop or application crash) via a malformed packet, related to a crash of the Websocket dissector, an infinite loop in the MySQL dissector, and a large loop in the ETCH dissector. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3561 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-3562 CVE STATUS: Patched CVE SUMMARY: Multiple integer signedness errors in the tvb_unmasked function in epan/dissectors/packet-websocket.c in the Websocket dissector in Wireshark 1.8.x before 1.8.7 allow remote attackers to cause a denial of service (application crash) via a malformed packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3562 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4074 CVE STATUS: Patched CVE SUMMARY: The dissect_capwap_data function in epan/dissectors/packet-capwap.c in the CAPWAP dissector in Wireshark 1.6.x before 1.6.16 and 1.8.x before 1.8.8 incorrectly uses a -1 data value to represent an error condition, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4074 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4075 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-gmr1_bcch.c in the GMR-1 BCCH dissector in Wireshark 1.8.x before 1.8.8 does not properly initialize memory, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4075 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4076 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the dissect_iphc_crtp_fh function in epan/dissectors/packet-ppp.c in the PPP dissector in Wireshark 1.8.x before 1.8.8 allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4076 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4077 CVE STATUS: Patched CVE SUMMARY: Array index error in the NBAP dissector in Wireshark 1.8.x before 1.8.8 allows remote attackers to cause a denial of service (application crash) via a crafted packet, related to nbap.cnf and packet-nbap.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4077 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4078 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-rdp.c in the RDP dissector in Wireshark 1.8.x before 1.8.8 does not validate return values during checks for data availability, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4078 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4079 CVE STATUS: Patched CVE SUMMARY: The dissect_schedule_message function in epan/dissectors/packet-gsm_cbch.c in the GSM CBCH dissector in Wireshark 1.8.x before 1.8.8 allows remote attackers to cause a denial of service (infinite loop and application hang) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4079 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4080 CVE STATUS: Patched CVE SUMMARY: The dissect_r3_upstreamcommand_queryconfig function in epan/dissectors/packet-assa_r3.c in the Assa Abloy R3 dissector in Wireshark 1.8.x before 1.8.8 does not properly handle a zero-length item, which allows remote attackers to cause a denial of service (infinite loop, and CPU and memory consumption) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4080 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4081 CVE STATUS: Patched CVE SUMMARY: The http_payload_subdissector function in epan/dissectors/packet-http.c in the HTTP dissector in Wireshark 1.6.x before 1.6.16 and 1.8.x before 1.8.8 does not properly determine when to use a recursive approach, which allows remote attackers to cause a denial of service (stack consumption) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4081 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4082 CVE STATUS: Patched CVE SUMMARY: The vwr_read function in wiretap/vwr.c in the Ixia IxVeriWave file parser in Wireshark 1.8.x before 1.8.8 does not validate the relationship between a record length and a trailer length, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4082 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4083 CVE STATUS: Patched CVE SUMMARY: The dissect_pft function in epan/dissectors/packet-dcp-etsi.c in the DCP ETSI dissector in Wireshark 1.6.x before 1.6.16, 1.8.x before 1.8.8, and 1.10.0 does not validate a certain fragment length value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4083 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4920 CVE STATUS: Patched CVE SUMMARY: The P1 dissector in Wireshark 1.10.x before 1.10.1 does not properly initialize a global variable, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4920 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4921 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the dissect_radiotap function in epan/dissectors/packet-ieee80211-radiotap.c in the Radiotap dissector in Wireshark 1.10.x before 1.10.1 allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4921 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4922 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in the dissect_dcom_ActivationProperties function in epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator dissector in Wireshark 1.10.x before 1.10.1 allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4922 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4923 CVE STATUS: Patched CVE SUMMARY: Memory leak in the dissect_dcom_ActivationProperties function in epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator dissector in Wireshark 1.10.x before 1.10.1 allows remote attackers to cause a denial of service (memory consumption) via crafted packets. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4923 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4924 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator dissector in Wireshark 1.10.x before 1.10.1 does not properly validate certain index values, which allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4924 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4925 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator dissector in Wireshark 1.10.x before 1.10.1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4925 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4926 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-dcom-sysact.c in the DCOM ISystemActivator dissector in Wireshark 1.10.x before 1.10.1 does not properly determine whether there is remaining packet data to process, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4926 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4927 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in the get_type_length function in epan/dissectors/packet-btsdp.c in the Bluetooth SDP dissector in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 allows remote attackers to cause a denial of service (loop and CPU consumption) via a crafted packet. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4927 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4928 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in the dissect_headers function in epan/dissectors/packet-btobex.c in the Bluetooth OBEX dissector in Wireshark 1.10.x before 1.10.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4928 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4929 CVE STATUS: Patched CVE SUMMARY: The parseFields function in epan/dissectors/packet-dis-pdus.c in the DIS dissector in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not terminate packet-data processing after finding zero remaining bytes, which allows remote attackers to cause a denial of service (loop) via a crafted packet. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4929 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4930 CVE STATUS: Patched CVE SUMMARY: The dissect_dvbci_tpdu_hdr function in epan/dissectors/packet-dvbci.c in the DVB-CI dissector in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not validate a certain length value before decrementing it, which allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4930 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4931 CVE STATUS: Patched CVE SUMMARY: epan/proto.c in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 allows remote attackers to cause a denial of service (loop) via a crafted packet that is not properly handled by the GSM RR dissector. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4931 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4932 CVE STATUS: Patched CVE SUMMARY: Multiple array index errors in epan/dissectors/packet-gsm_a_common.c in the GSM A Common dissector in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 allow remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4932 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4933 CVE STATUS: Patched CVE SUMMARY: The netmon_open function in wiretap/netmon.c in the Netmon file parser in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not properly allocate memory, which allows remote attackers to cause a denial of service (application crash) via a crafted packet-trace file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4933 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4934 CVE STATUS: Patched CVE SUMMARY: The netmon_open function in wiretap/netmon.c in the Netmon file parser in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not initialize certain structure members, which allows remote attackers to cause a denial of service (application crash) via a crafted packet-trace file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4934 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4935 CVE STATUS: Patched CVE SUMMARY: The dissect_per_length_determinant function in epan/dissectors/packet-per.c in the ASN.1 PER dissector in Wireshark 1.8.x before 1.8.9 and 1.10.x before 1.10.1 does not initialize a length field in certain abnormal situations, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4935 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-4936 CVE STATUS: Patched CVE SUMMARY: The IsDFP_Frame function in plugins/profinet/packet-pn-rt.c in the PROFINET Real-Time dissector in Wireshark 1.10.x before 1.10.1 does not validate MAC addresses, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4936 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-5717 CVE STATUS: Patched CVE SUMMARY: The Bluetooth HCI ACL dissector in Wireshark 1.10.x before 1.10.2 does not properly maintain a certain free list, which allows remote attackers to cause a denial of service (application crash) via a crafted packet that is not properly handled by the wmem_block_alloc function in epan/wmem/wmem_allocator_block.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-5717 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-5718 CVE STATUS: Patched CVE SUMMARY: The dissect_nbap_T_dCH_ID function in epan/dissectors/packet-nbap.c in the NBAP dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 does not restrict the dch_id value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-5718 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-5719 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-assa_r3.c in the ASSA R3 dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-5719 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-5720 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the RTPS dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-5720 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-5721 CVE STATUS: Patched CVE SUMMARY: The dissect_mq_rr function in epan/dissectors/packet-mq.c in the MQ dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 does not properly determine when to enter a certain loop, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-5721 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-5722 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the LDAP dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-5722 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-6336 CVE STATUS: Patched CVE SUMMARY: The ieee802154_map_rec function in epan/dissectors/packet-ieee802154.c in the IEEE 802.15.4 dissector in Wireshark 1.8.x before 1.8.11 and 1.10.x before 1.10.3 uses an incorrect pointer chain, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6336 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-6337 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the NBAP dissector in Wireshark 1.8.x before 1.8.11 and 1.10.x before 1.10.3 allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6337 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-6338 CVE STATUS: Patched CVE SUMMARY: The dissect_sip_common function in epan/dissectors/packet-sip.c in the SIP dissector in Wireshark 1.8.x before 1.8.11 and 1.10.x before 1.10.3 does not properly initialize a data structure, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6338 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-6339 CVE STATUS: Patched CVE SUMMARY: The dissect_openwire_type function in epan/dissectors/packet-openwire.c in the OpenWire dissector in Wireshark 1.8.x before 1.8.11 and 1.10.x before 1.10.3 allows remote attackers to cause a denial of service (loop) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6339 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-6340 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-tcp.c in the TCP dissector in Wireshark 1.8.x before 1.8.11 and 1.10.x before 1.10.3 does not properly determine the amount of remaining data, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6340 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-7112 CVE STATUS: Patched CVE SUMMARY: The dissect_sip_common function in epan/dissectors/packet-sip.c in the SIP dissector in Wireshark 1.8.x before 1.8.12 and 1.10.x before 1.10.4 does not check for empty lines, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7112 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-7113 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-bssgp.c in the BSSGP dissector in Wireshark 1.10.x before 1.10.4 incorrectly relies on a global variable, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7113 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2013-7114 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in the create_ntlmssp_v2_key function in epan/dissectors/packet-ntlmssp.c in the NTLMSSP v2 dissector in Wireshark 1.8.x before 1.8.12 and 1.10.x before 1.10.4 allow remote attackers to cause a denial of service (application crash) via a long domain name in a packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7114 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-2281 CVE STATUS: Patched CVE SUMMARY: The nfs_name_snoop_add_name function in epan/dissectors/packet-nfs.c in the NFS dissector in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 does not validate a certain length value, which allows remote attackers to cause a denial of service (memory corruption and application crash) via a crafted NFS packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2281 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-2282 CVE STATUS: Patched CVE SUMMARY: The dissect_protocol_data_parameter function in epan/dissectors/packet-m3ua.c in the M3UA dissector in Wireshark 1.10.x before 1.10.6 does not properly allocate memory, which allows remote attackers to cause a denial of service (application crash) via a crafted SS7 MTP3 packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2282 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-2283 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-rlc in the RLC dissector in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 uses inconsistent memory-management approaches, which allows remote attackers to cause a denial of service (use-after-free error and application crash) via a crafted UMTS Radio Link Control packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2283 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-2299 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the mpeg_read function in wiretap/mpeg.c in the MPEG parser in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a large record in MPEG data. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2299 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-2907 CVE STATUS: Patched CVE SUMMARY: The srtp_add_address function in epan/dissectors/packet-rtp.c in the RTP dissector in Wireshark 1.10.x before 1.10.7 does not properly update SRTP conversation data, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2907 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-4020 CVE STATUS: Patched CVE SUMMARY: The dissect_frame function in epan/dissectors/packet-frame.c in the frame metadissector in Wireshark 1.10.x before 1.10.8 interprets a negative integer as a length value even though it was intended to represent an error condition, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4020 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-4174 CVE STATUS: Patched CVE SUMMARY: wiretap/libpcap.c in the libpcap file parser in Wireshark 1.10.x before 1.10.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted packet-trace file that includes a large packet. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4174 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-5161 CVE STATUS: Patched CVE SUMMARY: The dissect_log function in plugins/irda/packet-irda.c in the IrDA dissector in Wireshark 1.10.x before 1.10.9 does not properly strip '\n' characters, which allows remote attackers to cause a denial of service (buffer underflow and application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5161 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-5162 CVE STATUS: Patched CVE SUMMARY: The read_new_line function in wiretap/catapult_dct2000.c in the Catapult DCT2000 dissector in Wireshark 1.10.x before 1.10.9 does not properly strip '\n' and '\r' characters, which allows remote attackers to cause a denial of service (off-by-one buffer underflow and application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5162 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-5163 CVE STATUS: Patched CVE SUMMARY: The APN decode functionality in (1) epan/dissectors/packet-gtp.c and (2) epan/dissectors/packet-gsm_a_gm.c in the GTP and GSM Management dissectors in Wireshark 1.10.x before 1.10.9 does not completely initialize a certain buffer, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5163 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-5164 CVE STATUS: Patched CVE SUMMARY: The rlc_decode_li function in epan/dissectors/packet-rlc.c in the RLC dissector in Wireshark 1.10.x before 1.10.9 initializes a certain structure member only after this member is used, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5164 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-5165 CVE STATUS: Patched CVE SUMMARY: The dissect_ber_constrained_bitstring function in epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1.10.x before 1.10.9 does not properly validate padding values, which allows remote attackers to cause a denial of service (buffer underflow and application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5165 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-6421 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the SDP dissector in Wireshark 1.10.x before 1.10.10 allows remote attackers to cause a denial of service (application crash) via a crafted packet that leverages split memory ownership between the SDP and RTP dissectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6421 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-6422 CVE STATUS: Patched CVE SUMMARY: The SDP dissector in Wireshark 1.10.x before 1.10.10 creates duplicate hashtables for a media channel, which allows remote attackers to cause a denial of service (application crash) via a crafted packet to the RTP dissector. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6422 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-6423 CVE STATUS: Patched CVE SUMMARY: The tvb_raw_text_add function in epan/dissectors/packet-megaco.c in the MEGACO dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (infinite loop) via an empty line. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6423 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-6424 CVE STATUS: Patched CVE SUMMARY: The dissect_v9_v10_pdu_data function in epan/dissectors/packet-netflow.c in the Netflow dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 refers to incorrect offset and start variables, which allows remote attackers to cause a denial of service (uninitialized memory read and application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6424 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-6425 CVE STATUS: Patched CVE SUMMARY: The (1) get_quoted_string and (2) get_unquoted_string functions in epan/dissectors/packet-cups.c in the CUPS dissector in Wireshark 1.12.x before 1.12.1 allow remote attackers to cause a denial of service (buffer over-read and application crash) via a CUPS packet that lacks a trailing '\0' character. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6425 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-6426 CVE STATUS: Patched CVE SUMMARY: The dissect_hip_tlv function in epan/dissectors/packet-hip.c in the HIP dissector in Wireshark 1.12.x before 1.12.1 does not properly handle a NULL tree, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6426 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-6427 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the is_rtsp_request_or_reply function in epan/dissectors/packet-rtsp.c in the RTSP dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (application crash) via a crafted packet that triggers parsing of a token located one position beyond the current position. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6427 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-6428 CVE STATUS: Patched CVE SUMMARY: The dissect_spdu function in epan/dissectors/packet-ses.c in the SES dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not initialize a certain ID value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6428 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-6429 CVE STATUS: Patched CVE SUMMARY: The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not properly handle empty input data, which allows remote attackers to cause a denial of service (application crash) via a crafted file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6429 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-6430 CVE STATUS: Patched CVE SUMMARY: The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not validate bitmask data, which allows remote attackers to cause a denial of service (application crash) via a crafted file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6430 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-6431 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (application crash) via a crafted file that triggers writes of uncompressed bytes beyond the end of the output buffer. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6431 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-6432 CVE STATUS: Patched CVE SUMMARY: The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not prevent data overwrites during copy operations, which allows remote attackers to cause a denial of service (application crash) via a crafted file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6432 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-8710 CVE STATUS: Patched CVE SUMMARY: The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8710 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-8711 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8711 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-8712 CVE STATUS: Patched CVE SUMMARY: The build_expert_data function in epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 does not properly initialize a data structure, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8712 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-8713 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the build_expert_data function in epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8713 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2014-8714 CVE STATUS: Patched CVE SUMMARY: The dissect_write_structured_field function in epan/dissectors/packet-tn5250.c in the TN5250 dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8714 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-0559 CVE STATUS: Patched CVE SUMMARY: Multiple use-after-free vulnerabilities in epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 allow remote attackers to cause a denial of service (application crash) via a crafted packet, related to the use of packet-scope memory instead of pinfo-scope memory. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0559 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-0560 CVE STATUS: Patched CVE SUMMARY: The dissect_wccp2r1_address_table_info function in epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 does not initialize certain data structures, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0560 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-0561 CVE STATUS: Patched CVE SUMMARY: asn1/lpp/lpp.cnf in the LPP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 does not validate a certain index value, which allows remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0561 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-0562 CVE STATUS: Patched CVE SUMMARY: Multiple use-after-free vulnerabilities in epan/dissectors/packet-dec-dnart.c in the DEC DNA Routing Protocol dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 allow remote attackers to cause a denial of service (application crash) via a crafted packet, related to the use of packet-scope memory instead of pinfo-scope memory. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0562 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-0563 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-smtp.c in the SMTP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 uses an incorrect length value for certain string-append operations, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0563 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-0564 CVE STATUS: Patched CVE SUMMARY: Buffer underflow in the ssl_decrypt_record function in epan/dissectors/packet-ssl-utils.c in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 allows remote attackers to cause a denial of service (application crash) via a crafted packet that is improperly handled during decryption of an SSL session. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0564 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-2187 CVE STATUS: Patched CVE SUMMARY: The dissect_atn_cpdlc_heur function in asn1/atn-cpdlc/packet-atn-cpdlc-template.c in the ATN-CPDLC dissector in Wireshark 1.12.x before 1.12.4 does not properly follow the TRY/ENDTRY code requirements, which allows remote attackers to cause a denial of service (stack memory corruption and application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2187 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-2188 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-wcp.c in the WCP dissector in Wireshark 1.10.x before 1.10.13 and 1.12.x before 1.12.4 does not properly initialize a data structure, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet that is improperly handled during decompression. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2188 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-2189 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the pcapng_read function in wiretap/pcapng.c in the pcapng file parser in Wireshark 1.10.x before 1.10.13 and 1.12.x before 1.12.4 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via an invalid Interface Statistics Block (ISB) interface ID in a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2189 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-2190 CVE STATUS: Patched CVE SUMMARY: epan/proto.c in Wireshark 1.12.x before 1.12.4 does not properly handle integer data types greater than 32 bits in size, which allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted packet that is improperly handled by the LLDP dissector. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2190 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-2191 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the dissect_tnef function in epan/dissectors/packet-tnef.c in the TNEF dissector in Wireshark 1.10.x before 1.10.13 and 1.12.x before 1.12.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted length field in a packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2191 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-2192 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the dissect_osd2_cdb_continuation function in epan/dissectors/packet-scsi-osd.c in the SCSI OSD dissector in Wireshark 1.12.x before 1.12.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted length field in a packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2192 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-3182 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-dec-dnart.c in the DECnet NSP/RT dissector in Wireshark 1.10.12 through 1.10.14 mishandles a certain strdup return value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3182 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-3808 CVE STATUS: Patched CVE SUMMARY: The dissect_lbmr_pser function in epan/dissectors/packet-lbmr.c in the LBMR dissector in Wireshark 1.12.x before 1.12.5 does not reject a zero length, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3808 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-3809 CVE STATUS: Patched CVE SUMMARY: The dissect_lbmr_pser function in epan/dissectors/packet-lbmr.c in the LBMR dissector in Wireshark 1.12.x before 1.12.5 does not properly track the current offset, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3809 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-3810 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-websocket.c in the WebSocket dissector in Wireshark 1.12.x before 1.12.5 uses a recursive algorithm, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted packet. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3810 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-3811 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-wcp.c in the WCP dissector in Wireshark 1.10.x before 1.10.14 and 1.12.x before 1.12.5 improperly refers to previously processed bytes, which allows remote attackers to cause a denial of service (application crash) via a crafted packet, a different vulnerability than CVE-2015-2188. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3811 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-3812 CVE STATUS: Patched CVE SUMMARY: Multiple memory leaks in the x11_init_protocol function in epan/dissectors/packet-x11.c in the X11 dissector in Wireshark 1.10.x before 1.10.14 and 1.12.x before 1.12.5 allow remote attackers to cause a denial of service (memory consumption) via a crafted packet. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3812 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-3813 CVE STATUS: Patched CVE SUMMARY: The fragment_add_work function in epan/reassemble.c in the packet-reassembly feature in Wireshark 1.12.x before 1.12.5 does not properly determine the defragmentation state in a case of an insufficient snapshot length, which allows remote attackers to cause a denial of service (memory consumption) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3813 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-3814 CVE STATUS: Patched CVE SUMMARY: The (1) dissect_tfs_request and (2) dissect_tfs_response functions in epan/dissectors/packet-ieee80211.c in the IEEE 802.11 dissector in Wireshark 1.10.x before 1.10.14 and 1.12.x before 1.12.5 interpret a zero value as a length rather than an error condition, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3814 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-3815 CVE STATUS: Patched CVE SUMMARY: The detect_version function in wiretap/logcat.c in the Android Logcat file parser in Wireshark 1.12.x before 1.12.5 does not check the length of the payload, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a packet with a crafted payload, as demonstrated by a length of zero, a different vulnerability than CVE-2015-3906. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3815 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-3906 CVE STATUS: Patched CVE SUMMARY: The logcat_dump_text function in wiretap/logcat.c in the Android Logcat file parser in Wireshark 1.12.x before 1.12.5 does not properly handle a lack of \0 termination, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted message in a packet, a different vulnerability than CVE-2015-3815. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3906 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-4651 CVE STATUS: Patched CVE SUMMARY: The dissect_wccp2r1_address_table_info function in epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark 1.12.x before 1.12.6 does not properly determine whether enough memory is available for storing IP address strings, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4651 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-4652 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-gsm_a_dtap.c in the GSM DTAP dissector in Wireshark 1.12.x before 1.12.6 does not properly validate digit characters, which allows remote attackers to cause a denial of service (application crash) via a crafted packet, related to the de_emerg_num_list and de_bcd_num functions. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4652 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-6241 CVE STATUS: Patched CVE SUMMARY: The proto_tree_add_bytes_item function in epan/proto.c in the protocol-tree implementation in Wireshark 1.12.x before 1.12.7 does not properly terminate a data structure after a failure to locate a number within a string, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6241 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-6242 CVE STATUS: Patched CVE SUMMARY: The wmem_block_split_free_chunk function in epan/wmem/wmem_allocator_block.c in the wmem block allocator in the memory manager in Wireshark 1.12.x before 1.12.7 does not properly consider a certain case of multiple realloc operations that restore a memory chunk to its original size, which allows remote attackers to cause a denial of service (incorrect free operation and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6242 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-6243 CVE STATUS: Patched CVE SUMMARY: The dissector-table implementation in epan/packet.c in Wireshark 1.12.x before 1.12.7 mishandles table searches for empty strings, which allows remote attackers to cause a denial of service (application crash) via a crafted packet, related to the (1) dissector_get_string_handle and (2) dissector_get_default_string_handle functions. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6243 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-6244 CVE STATUS: Patched CVE SUMMARY: The dissect_zbee_secure function in epan/dissectors/packet-zbee-security.c in the ZigBee dissector in Wireshark 1.12.x before 1.12.7 improperly relies on length fields contained in packet data, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6244 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-6245 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-gsm_rlcmac.c in the GSM RLC/MAC dissector in Wireshark 1.12.x before 1.12.7 uses incorrect integer data types, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6245 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-6246 CVE STATUS: Patched CVE SUMMARY: The dissect_wa_payload function in epan/dissectors/packet-waveagent.c in the WaveAgent dissector in Wireshark 1.12.x before 1.12.7 mishandles large tag values, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6246 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-6247 CVE STATUS: Patched CVE SUMMARY: The dissect_openflow_tablemod_v5 function in epan/dissectors/packet-openflow_v5.c in the OpenFlow dissector in Wireshark 1.12.x before 1.12.7 does not validate a certain offset value, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6247 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-6248 CVE STATUS: Patched CVE SUMMARY: The ptvcursor_add function in the ptvcursor implementation in epan/proto.c in Wireshark 1.12.x before 1.12.7 does not check whether the expected amount of data is available, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6248 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-6249 CVE STATUS: Patched CVE SUMMARY: The dissect_wccp2r1_address_table_info function in epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark 1.12.x before 1.12.7 does not prevent the conflicting use of a table for both IPv4 and IPv6 addresses, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6249 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-7830 CVE STATUS: Patched CVE SUMMARY: The pcapng_read_if_descr_block function in wiretap/pcapng.c in the pcapng parser in Wireshark 1.12.x before 1.12.8 uses too many levels of pointer indirection, which allows remote attackers to cause a denial of service (incorrect free and application crash) via a crafted packet that triggers interface-filter copying. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7830 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8711 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-nbap.c in the NBAP dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate conversation data, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8711 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8712 CVE STATUS: Patched CVE SUMMARY: The dissect_hsdsch_channel_info function in epan/dissectors/packet-umts_fp.c in the UMTS FP dissector in Wireshark 1.12.x before 1.12.9 does not validate the number of PDUs, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8712 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8713 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-umts_fp.c in the UMTS FP dissector in Wireshark 1.12.x before 1.12.9 does not properly reserve memory for channel ID mappings, which allows remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8713 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8714 CVE STATUS: Patched CVE SUMMARY: The dissect_dcom_OBJREF function in epan/dissectors/packet-dcom.c in the DCOM dissector in Wireshark 1.12.x before 1.12.9 does not initialize a certain IPv4 data structure, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8714 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8715 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-alljoyn.c in the AllJoyn dissector in Wireshark 1.12.x before 1.12.9 does not check for empty arguments, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8715 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8716 CVE STATUS: Patched CVE SUMMARY: The init_t38_info_conv function in epan/dissectors/packet-t38.c in the T.38 dissector in Wireshark 1.12.x before 1.12.9 does not ensure that a conversation exists, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8716 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8717 CVE STATUS: Patched CVE SUMMARY: The dissect_sdp function in epan/dissectors/packet-sdp.c in the SDP dissector in Wireshark 1.12.x before 1.12.9 does not prevent use of a negative media count, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8717 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8718 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in epan/dissectors/packet-nlm.c in the NLM dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1, when the "Match MSG/RES packets for async NLM" option is enabled, allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8718 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8719 CVE STATUS: Patched CVE SUMMARY: The dissect_dns_answer function in epan/dissectors/packet-dns.c in the DNS dissector in Wireshark 1.12.x before 1.12.9 mishandles the EDNS0 Client Subnet option, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8719 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8720 CVE STATUS: Patched CVE SUMMARY: The dissect_ber_GeneralizedTime function in epan/dissectors/packet-ber.c in the BER dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 improperly checks an sscanf return value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8720 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8721 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the tvb_uncompress function in epan/tvbuff_zlib.c in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 allows remote attackers to cause a denial of service (application crash) via a crafted packet with zlib compression. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8721 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8722 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-sctp.c in the SCTP dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the frame pointer, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8722 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8723 CVE STATUS: Patched CVE SUMMARY: The AirPDcapPacketProcess function in epan/crypt/airpdcap.c in the 802.11 dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the relationship between the total length and the capture length, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8723 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8724 CVE STATUS: Patched CVE SUMMARY: The AirPDcapDecryptWPABroadcastKey function in epan/crypt/airpdcap.c in the 802.11 dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not verify the WPA broadcast key length, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8724 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8725 CVE STATUS: Patched CVE SUMMARY: The dissect_diameter_base_framed_ipv6_prefix function in epan/dissectors/packet-diameter.c in the DIAMETER dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the IPv6 prefix length, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8725 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8726 CVE STATUS: Patched CVE SUMMARY: wiretap/vwr.c in the VeriWave file parser in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate certain signature and Modulation and Coding Scheme (MCS) data, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8726 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8727 CVE STATUS: Patched CVE SUMMARY: The dissect_rsvp_common function in epan/dissectors/packet-rsvp.c in the RSVP dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not properly maintain request-key data, which allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8727 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8728 CVE STATUS: Patched CVE SUMMARY: The Mobile Identity parser in (1) epan/dissectors/packet-ansi_a.c in the ANSI A dissector and (2) epan/dissectors/packet-gsm_a_common.c in the GSM A dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 improperly uses the tvb_bcd_dig_to_wmem_packet_str function, which allows remote attackers to cause a denial of service (buffer overflow and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8728 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8729 CVE STATUS: Patched CVE SUMMARY: The ascend_seek function in wiretap/ascendtext.c in the Ascend file parser in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not ensure the presence of a '\0' character at the end of a date string, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8729 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8730 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-nbap.c in the NBAP dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the number of items, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8730 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8731 CVE STATUS: Patched CVE SUMMARY: The dissct_rsl_ipaccess_msg function in epan/dissectors/packet-rsl.c in the RSL dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not reject unknown TLV types, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8731 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8732 CVE STATUS: Patched CVE SUMMARY: The dissect_zcl_pwr_prof_pwrprofstatersp function in epan/dissectors/packet-zbee-zcl-general.c in the ZigBee ZCL dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the Total Profile Number field, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8732 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8733 CVE STATUS: Patched CVE SUMMARY: The ngsniffer_process_record function in wiretap/ngsniffer.c in the Sniffer file parser in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the relationships between record lengths and record header lengths, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8733 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8734 CVE STATUS: Patched CVE SUMMARY: The dissect_nwp function in epan/dissectors/packet-nwp.c in the NWP dissector in Wireshark 2.0.x before 2.0.1 mishandles the packet type, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8734 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8735 CVE STATUS: Patched CVE SUMMARY: The get_value function in epan/dissectors/packet-btatt.c in the Bluetooth Attribute (aka BT ATT) dissector in Wireshark 2.0.x before 2.0.1 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (invalid write operation and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8735 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8736 CVE STATUS: Patched CVE SUMMARY: The mp2t_find_next_pcr function in wiretap/mp2t.c in the MP2T file parser in Wireshark 2.0.x before 2.0.1 does not reserve memory for a trailer, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) via a crafted file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8736 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8737 CVE STATUS: Patched CVE SUMMARY: The mp2t_open function in wiretap/mp2t.c in the MP2T file parser in Wireshark 2.0.x before 2.0.1 does not validate the bit rate, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8737 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8738 CVE STATUS: Patched CVE SUMMARY: The s7comm_decode_ud_cpu_szl_subfunc function in epan/dissectors/packet-s7comm_szl_ids.c in the S7COMM dissector in Wireshark 2.0.x before 2.0.1 does not validate the list count in an SZL response, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8738 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8739 CVE STATUS: Patched CVE SUMMARY: The ipmi_fmt_udpport function in epan/dissectors/packet-ipmi.c in the IPMI dissector in Wireshark 2.0.x before 2.0.1 improperly attempts to access a packet scope, which allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8739 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8740 CVE STATUS: Patched CVE SUMMARY: The dissect_tds7_colmetadata_token function in epan/dissectors/packet-tds.c in the TDS dissector in Wireshark 2.0.x before 2.0.1 does not validate the number of columns, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8740 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8741 CVE STATUS: Patched CVE SUMMARY: The dissect_ppi function in epan/dissectors/packet-ppi.c in the PPI dissector in Wireshark 2.0.x before 2.0.1 does not initialize a packet-header data structure, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8741 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2015-8742 CVE STATUS: Patched CVE SUMMARY: The dissect_CPMSetBindings function in epan/dissectors/packet-mswsp.c in the MS-WSP dissector in Wireshark 2.0.x before 2.0.1 does not validate the column size, which allows remote attackers to cause a denial of service (memory consumption or application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8742 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-2521 CVE STATUS: Patched CVE SUMMARY: Untrusted search path vulnerability in the WiresharkApplication class in ui/qt/wireshark_application.cpp in Wireshark 1.12.x before 1.12.10 and 2.0.x before 2.0.2 on Windows allows local users to gain privileges via a Trojan horse riched20.dll.dll file in the current working directory, related to use of QLibrary. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2521 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-2522 CVE STATUS: Patched CVE SUMMARY: The dissect_ber_constrained_bitstring function in epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 2.0.x before 2.0.2 does not verify that a certain length is nonzero, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2522 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-2523 CVE STATUS: Patched CVE SUMMARY: The dnp3_al_process_object function in epan/dissectors/packet-dnp.c in the DNP3 dissector in Wireshark 1.12.x before 1.12.10 and 2.0.x before 2.0.2 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2523 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-2524 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-x509af.c in the X.509AF dissector in Wireshark 2.0.x before 2.0.2 mishandles the algorithm ID, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2524 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-2525 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-http2.c in the HTTP/2 dissector in Wireshark 2.0.x before 2.0.2 does not limit the amount of header data, which allows remote attackers to cause a denial of service (memory consumption or application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2525 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-2526 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-hiqnet.c in the HiQnet dissector in Wireshark 2.0.x before 2.0.2 does not validate the data type, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2526 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-2527 CVE STATUS: Patched CVE SUMMARY: wiretap/nettrace_3gpp_32_423.c in the 3GPP TS 32.423 Trace file parser in Wireshark 2.0.x before 2.0.2 does not ensure that a '\0' character is present at the end of certain strings, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) via a crafted file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2527 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-2528 CVE STATUS: Patched CVE SUMMARY: The dissect_nhdr_extopt function in epan/dissectors/packet-lbmc.c in the LBMC dissector in Wireshark 2.0.x before 2.0.2 does not validate length values, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2528 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-2529 CVE STATUS: Patched CVE SUMMARY: The iseries_check_file_type function in wiretap/iseries.c in the iSeries file parser in Wireshark 2.0.x before 2.0.2 does not consider that a line may lack the "OBJECT PROTOCOL" substring, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2529 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-2530 CVE STATUS: Patched CVE SUMMARY: The dissct_rsl_ipaccess_msg function in epan/dissectors/packet-rsl.c in the RSL dissector in Wireshark 1.12.x before 1.12.10 and 2.0.x before 2.0.2 mishandles the case of an unrecognized TLV type, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet, a different vulnerability than CVE-2016-2531. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2530 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-2531 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in epan/dissectors/packet-rsl.c in the RSL dissector in Wireshark 1.12.x before 1.12.10 and 2.0.x before 2.0.2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet that triggers a 0xff tag value, a different vulnerability than CVE-2016-2530. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2531 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-2532 CVE STATUS: Patched CVE SUMMARY: The dissect_llrp_parameters function in epan/dissectors/packet-llrp.c in the LLRP dissector in Wireshark 1.12.x before 1.12.10 and 2.0.x before 2.0.2 does not limit the recursion depth, which allows remote attackers to cause a denial of service (memory consumption or application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2532 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-4006 CVE STATUS: Patched CVE SUMMARY: epan/proto.c in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 does not limit the protocol-tree depth, which allows remote attackers to cause a denial of service (stack memory consumption and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4006 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-4076 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 2.0.x before 2.0.3 does not properly initialize memory for search patterns, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4076 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-4077 CVE STATUS: Patched CVE SUMMARY: epan/reassemble.c in TShark in Wireshark 2.0.x before 2.0.3 relies on incorrect special-case handling of truncated Tvb data structures, which allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4077 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-4078 CVE STATUS: Patched CVE SUMMARY: The IEEE 802.11 dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 does not properly restrict element lists, which allows remote attackers to cause a denial of service (deep recursion and application crash) via a crafted packet, related to epan/dissectors/packet-capwap.c and epan/dissectors/packet-ieee80211.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4078 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-4079 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-pktc.c in the PKTC dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 does not verify BER identifiers, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4079 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-4080 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-pktc.c in the PKTC dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 misparses timestamp fields, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4080 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-4081 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-iax2.c in the IAX2 dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4081 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-4082 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-gsm_cbch.c in the GSM CBCH dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 uses the wrong variable to index an array, which allows remote attackers to cause a denial of service (out-of-bounds access and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4082 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-4083 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-mswsp.c in the MS-WSP dissector in Wireshark 2.0.x before 2.0.3 does not ensure that data is available before array allocation, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4083 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-4084 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in epan/dissectors/packet-mswsp.c in the MS-WSP dissector in Wireshark 2.0.x before 2.0.3 allows remote attackers to cause a denial of service (integer overflow and application crash) via a crafted packet that triggers an unexpected array size. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4084 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-4085 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 1.12.x before 1.12.11 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long string in a packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4085 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-4415 CVE STATUS: Patched CVE SUMMARY: wiretap/vwr.c in the Ixia IxVeriWave file parser in Wireshark 2.x before 2.0.2 incorrectly increases a certain octet count, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) via a crafted file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4415 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-4416 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-ieee80211.c in the IEEE 802.11 dissector in Wireshark 2.x before 2.0.2 mishandles the Grouping subfield, which allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4416 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-4417 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in epan/dissectors/packet-gsm_abis_oml.c in the GSM A-bis OML dissector in Wireshark 1.12.x before 1.12.10 and 2.x before 2.0.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet that triggers a 0xff tag value. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4417 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-4418 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1.12.x before 1.12.10 and 2.x before 2.0.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet that triggers an empty set. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4418 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-4419 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-spice.c in the SPICE dissector in Wireshark 2.x before 2.0.2 mishandles capability data, which allows remote attackers to cause a denial of service (large loop) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4419 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-4420 CVE STATUS: Patched CVE SUMMARY: The NFS dissector in Wireshark 2.x before 2.0.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4420 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-4421 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1.12.x before 1.12.10 and 2.x before 2.0.2 allows remote attackers to cause a denial of service (deep recursion, stack consumption, and application crash) via a packet that specifies deeply nested data. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4421 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-5350 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-dcerpc-spoolss.c in the SPOOLS component in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles unexpected offsets, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5350 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-5351 CVE STATUS: Patched CVE SUMMARY: epan/crypt/airpdcap.c in the IEEE 802.11 dissector in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles the lack of an EAPOL_RSN_KEY, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5351 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-5352 CVE STATUS: Patched CVE SUMMARY: epan/crypt/airpdcap.c in the IEEE 802.11 dissector in Wireshark 2.x before 2.0.4 mishandles certain length values, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5352 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-5353 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-umts_fp.c in the UMTS FP dissector in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles the reserved C/T value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5353 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-5354 CVE STATUS: Patched CVE SUMMARY: The USB subsystem in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles class types, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5354 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-5355 CVE STATUS: Patched CVE SUMMARY: wiretap/toshiba.c in the Toshiba file parser in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles sscanf unsigned-integer processing, which allows remote attackers to cause a denial of service (application crash) via a crafted file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5355 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-5356 CVE STATUS: Patched CVE SUMMARY: wiretap/cosine.c in the CoSine file parser in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles sscanf unsigned-integer processing, which allows remote attackers to cause a denial of service (application crash) via a crafted file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5356 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-5357 CVE STATUS: Patched CVE SUMMARY: wiretap/netscreen.c in the NetScreen file parser in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles sscanf unsigned-integer processing, which allows remote attackers to cause a denial of service (application crash) via a crafted file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5357 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-5358 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-pktap.c in the Ethernet dissector in Wireshark 2.x before 2.0.4 mishandles the packet-header data type, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5358 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-5359 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-wbxml.c in the WBXML dissector in Wireshark 1.12.x before 1.12.12 mishandles offsets, which allows remote attackers to cause a denial of service (integer overflow and infinite loop) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5359 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-6503 CVE STATUS: Patched CVE SUMMARY: The CORBA IDL dissectors in Wireshark 2.x before 2.0.5 on 64-bit Windows platforms do not properly interact with Visual C++ compiler options, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6503 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-6504 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-ncp2222.inc in the NDS dissector in Wireshark 1.12.x before 1.12.13 does not properly maintain a ptvc data structure, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6504 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-6505 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-packetbb.c in the PacketBB dissector in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6505 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-6506 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-wsp.c in the WSP dissector in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6506 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-6507 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-mmse.c in the MMSE dissector in Wireshark 1.12.x before 1.12.13 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6507 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-6508 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-rlc.c in the RLC dissector in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (large loop) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6508 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-6509 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-ldss.c in the LDSS dissector in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 mishandles conversations, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6509 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-6510 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in epan/dissectors/packet-rlc.c in the RLC dissector in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6510 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-6511 CVE STATUS: Patched CVE SUMMARY: epan/proto.c in Wireshark 1.12.x before 1.12.13 and 2.x before 2.0.5 allows remote attackers to cause a denial of service (OpenFlow dissector large loop) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6511 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-6512 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-wap.c in Wireshark 2.x before 2.0.5 omits an overflow check in the tvb_get_guintvar function, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet, related to the MMSE, WAP, WBXML, and WSP dissectors. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6512 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-6513 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-wbxml.c in the WBXML dissector in Wireshark 2.x before 2.0.5 does not restrict the recursion depth, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6513 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-7175 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-qnet6.c in the QNX6 QNET dissector in Wireshark 2.x before 2.0.6 mishandles MAC address data, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7175 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-7176 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-h225.c in the H.225 dissector in Wireshark 2.x before 2.0.6 calls snprintf with one of its input buffers as the output buffer, which allows remote attackers to cause a denial of service (copy overlap and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7176 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-7177 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-catapult-dct2000.c in the Catapult DCT2000 dissector in Wireshark 2.x before 2.0.6 does not restrict the number of channels, which allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7177 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-7178 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-umts_fp.c in the UMTS FP dissector in Wireshark 2.x before 2.0.6 does not ensure that memory is allocated for certain data structures, which allows remote attackers to cause a denial of service (invalid write access and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7178 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-7179 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in epan/dissectors/packet-catapult-dct2000.c in the Catapult DCT2000 dissector in Wireshark 2.x before 2.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7179 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-7180 CVE STATUS: Patched CVE SUMMARY: epan/dissectors/packet-ipmi-trace.c in the IPMI trace dissector in Wireshark 2.x before 2.0.6 does not properly consider whether a string is constant, which allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7180 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-7957 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0, the Bluetooth L2CAP dissector could crash, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-btl2cap.c by avoiding use of a seven-byte memcmp for potentially shorter strings. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7957 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-7958 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0, the NCP dissector could crash, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/CMakeLists.txt by registering this dissector. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7958 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-9372 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.1, the Profinet I/O dissector could loop excessively, triggered by network traffic or a capture file. This was addressed in plugins/profinet/packet-pn-rtc-one.c by rejecting input with too many I/O objects. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9372 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-9373 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the DCERPC dissector could crash with a use-after-free, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-dcerpc-nt.c and epan/dissectors/packet-dcerpc-spoolss.c by using the wmem file scope for private strings. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9373 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-9374 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the AllJoyn dissector could crash with a buffer over-read, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-alljoyn.c by ensuring that a length variable properly tracked the state of a signature variable. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9374 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-9375 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the DTN dissector could go into an infinite loop, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-dtn.c by checking whether SDNV evaluation was successful. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9375 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2016-9376 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the OpenFlow dissector could crash with memory exhaustion, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-openflow_v5.c by ensuring that certain length values were sufficiently large. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9376 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-11406 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the DOCSIS dissector could go into an infinite loop. This was addressed in plugins/docsis/packet-docsis.c by rejecting invalid Frame Control parameter values. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11406 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-11407 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the MQ dissector could crash. This was addressed in epan/dissectors/packet-mq.c by validating the fragment length before a reassembly attempt. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11407 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-11408 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the AMQP dissector could crash. This was addressed in epan/dissectors/packet-amqp.c by checking for successful list dissection. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11408 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-11409 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.0.0 to 2.0.13, the GPRS LLC dissector could go into a large loop. This was addressed in epan/dissectors/packet-gprs-llc.c by using a different integer data type. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11409 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-11410 CVE STATUS: Patched CVE SUMMARY: In Wireshark through 2.0.13 and 2.2.x through 2.2.7, the WBXML dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-wbxml.c by adding validation of the relationships between indexes and lengths. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-7702. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11410 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-11411 CVE STATUS: Patched CVE SUMMARY: In Wireshark through 2.0.13 and 2.2.x through 2.2.7, the openSAFETY dissector could crash or exhaust system memory. This was addressed in epan/dissectors/packet-opensafety.c by adding length validation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-9350. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11411 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-13764 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0, the Modbus dissector could crash with a NULL pointer dereference. This was addressed in epan/dissectors/packet-mbtcp.c by adding length validation. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13764 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-13765 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0, 2.2.0 to 2.2.8, and 2.0.0 to 2.0.14, the IrCOMM dissector has a buffer over-read and application crash. This was addressed in plugins/irda/packet-ircomm.c by adding length validation. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13765 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-13766 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 and 2.2.0 to 2.2.8, the Profinet I/O dissector could crash with an out-of-bounds write. This was addressed in plugins/profinet/packet-dcerpc-pn-io.c by adding string validation. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13766 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-13767 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0, 2.2.0 to 2.2.8, and 2.0.0 to 2.0.14, the MSDP dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-msdp.c by adding length validation. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13767 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-15189 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.1, the DOCSIS dissector could go into an infinite loop. This was addressed in plugins/docsis/packet-docsis.c by adding decrements. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15189 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-15190 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.1, the RTSP dissector could crash. This was addressed in epan/dissectors/packet-rtsp.c by correcting the scope of a variable. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15190 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-15191 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.1, 2.2.0 to 2.2.9, and 2.0.0 to 2.0.15, the DMP dissector could crash. This was addressed in epan/dissectors/packet-dmp.c by validating a string length. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15191 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-15192 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the BT ATT dissector could crash. This was addressed in epan/dissectors/packet-btatt.c by considering a case where not all of the BTATT packets have the same encapsulation level. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15192 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-15193 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the MBIM dissector could crash or exhaust system memory. This was addressed in epan/dissectors/packet-mbim.c by changing the memory-allocation approach. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15193 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-17083 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the NetBIOS dissector could crash. This was addressed in epan/dissectors/packet-netbios.c by ensuring that write operations are bounded by the beginning of a buffer. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17083 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-17084 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the IWARP_MPA dissector could crash. This was addressed in epan/dissectors/packet-iwarp-mpa.c by validating a ULPDU length. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17084 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-17085 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the CIP Safety dissector could crash. This was addressed in epan/dissectors/packet-cipsafety.c by validating the packet length. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17085 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-17935 CVE STATUS: Patched CVE SUMMARY: The File_read_line function in epan/wslua/wslua_file.c in Wireshark through 2.2.11 does not properly strip '\n' characters, which allows remote attackers to cause a denial of service (buffer underflow and application crash) via a crafted packet that triggers the attempted processing of an empty line. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17935 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-17997 CVE STATUS: Patched CVE SUMMARY: In Wireshark before 2.2.12, the MRDISC dissector misuses a NULL pointer and crashes. This was addressed in epan/dissectors/packet-mrdisc.c by validating an IPv4 address. This vulnerability is similar to CVE-2017-9343. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17997 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-5596 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.3 and 2.0.0 to 2.0.9, the ASTERIX dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-asterix.c by changing a data type to avoid an integer overflow. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5596 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-5597 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.3 and 2.0.0 to 2.0.9, the DHCPv6 dissector could go into a large loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-dhcpv6.c by changing a data type to avoid an integer overflow. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5597 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-6014 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.4 and earlier, a crafted or malformed STANAG 4607 capture file will cause an infinite loop and memory exhaustion. If the packet size field in a packet header is null, the offset to read from will not advance, causing continuous attempts to read the same zero length packet. This will quickly exhaust all system memory. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6014 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-6467 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a Netscaler file parser infinite loop, triggered by a malformed capture file. This was addressed in wiretap/netscaler.c by changing the restrictions on file size. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6467 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-6468 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a NetScaler file parser crash, triggered by a malformed capture file. This was addressed in wiretap/netscaler.c by validating the relationship between pages and records. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6468 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-6469 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an LDSS dissector crash, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-ldss.c by ensuring that memory is allocated for a certain data structure. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6469 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-6470 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an IAX2 infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-iax2.c by constraining packet lateness. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6470 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-6471 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a WSP infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-wsp.c by validating the capability length. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6471 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-6472 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an RTMPT dissector infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-rtmpt.c by properly incrementing a certain sequence value. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6472 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-6473 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a K12 file parser crash, triggered by a malformed capture file. This was addressed in wiretap/k12.c by validating the relationships between lengths and offsets. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6473 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-6474 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a NetScaler file parser infinite loop, triggered by a malformed capture file. This was addressed in wiretap/netscaler.c by validating record sizes. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6474 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-7700 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the NetScaler file parser could go into an infinite loop, triggered by a malformed capture file. This was addressed in wiretap/netscaler.c by ensuring a nonzero record size. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7700 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-7701 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the BGP dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-bgp.c by using a different integer data type. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7701 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-7702 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the WBXML dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-wbxml.c by adding length validation. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7702 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-7703 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the IMAP dissector could crash, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-imap.c by calculating a line's end correctly. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7703 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-7704 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.5, the DOF dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-dof.c by using a different integer data type and adjusting a return value. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7704 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-7705 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the RPC over RDMA dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-rpcrdma.c by correctly checking for going beyond the maximum offset. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7705 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-7745 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the SIGCOMP dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-sigcomp.c by correcting a memory-size check. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7745 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-7746 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the SLSK dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-slsk.c by adding checks for the remaining length. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7746 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-7747 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the PacketBB dissector could crash, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-packetbb.c by restricting additions to the protocol tree. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7747 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-7748 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the WSP dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-wsp.c by adding a length check. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7748 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-9343 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the MSNIP dissector misuses a NULL pointer. This was addressed in epan/dissectors/packet-msnip.c by validating an IPv4 address. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9343 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-9344 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the Bluetooth L2CAP dissector could divide by zero. This was addressed in epan/dissectors/packet-btl2cap.c by validating an interval value. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9344 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-9345 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DNS dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-dns.c by trying to detect self-referencing pointers. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9345 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-9346 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the SoulSeek dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-slsk.c by making loop bounds more explicit. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9346 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-9347 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.6, the ROS dissector could crash with a NULL pointer dereference. This was addressed in epan/dissectors/asn1/ros/packet-ros-template.c by validating an OID. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9347 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-9348 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.6, the DOF dissector could read past the end of a buffer. This was addressed in epan/dissectors/packet-dof.c by validating a size value. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9348 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-9349 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DICOM dissector has an infinite loop. This was addressed in epan/dissectors/packet-dcm.c by validating a length value. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9349 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-9350 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the openSAFETY dissector could crash or exhaust system memory. This was addressed in epan/dissectors/packet-opensafety.c by checking for a negative length. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9350 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-9351 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DHCP dissector could read past the end of a buffer. This was addressed in epan/dissectors/packet-bootp.c by extracting the Vendor Class Identifier more carefully. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9351 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-9352 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the Bazaar dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-bzr.c by ensuring that backwards parsing cannot occur. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9352 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-9353 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.6, the IPv6 dissector could crash. This was addressed in epan/dissectors/packet-ipv6.c by validating an IPv6 address. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9353 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-9354 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the RGMP dissector could crash. This was addressed in epan/dissectors/packet-rgmp.c by validating an IPv4 address. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9354 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-9616 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.7, overly deep mp4 chunks may cause stack exhaustion (uncontrolled recursion) in the dissect_mp4_box function in epan/dissectors/file-mp4.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9616 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-9617 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.7, deeply nested DAAP data may cause stack exhaustion (uncontrolled recursion) in the dissect_daap_one_tag function in epan/dissectors/packet-daap.c in the DAAP dissector. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9617 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2017-9766 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.7, PROFINET IO data with a high recursion depth allows remote attackers to cause a denial of service (stack exhaustion) in the dissect_IODWriteReq function in plugins/profinet/packet-dcerpc-pn-io.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9766 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-11354 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0, the IEEE 1905.1a dissector could crash. This was addressed in epan/dissectors/packet-ieee1905.c by making a certain correction to string handling. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11354 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-11355 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0, the RTCP dissector could crash. This was addressed in epan/dissectors/packet-rtcp.c by avoiding a buffer overflow for packet status chunks. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11355 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-11356 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the DNS dissector could crash. This was addressed in epan/dissectors/packet-dns.c by avoiding a NULL pointer dereference for an empty name in an SRV record. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11356 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-11357 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the LTP dissector and other dissectors could consume excessive memory. This was addressed in epan/tvbuff.c by rejecting negative lengths. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11357 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-11358 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the Q.931 dissector could crash. This was addressed in epan/dissectors/packet-q931.c by avoiding a use-after-free after a malformed packet prevented certain cleanup. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11358 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-11359 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the RRC dissector and other dissectors could crash. This was addressed in epan/proto.c by avoiding a NULL pointer dereference. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11359 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-11360 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the GSM A DTAP dissector could crash. This was addressed in epan/dissectors/packet-gsm_a_dtap.c by fixing an off-by-one error that caused a buffer overflow. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11360 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-11361 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0, the IEEE 802.11 protocol dissector could crash. This was addressed in epan/crypt/dot11decrypt.c by avoiding a buffer overflow during FTE processing in Dot11DecryptTDLSDeriveKey. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11361 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-11362 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the LDSS dissector could crash. This was addressed in epan/dissectors/packet-ldss.c by avoiding a buffer over-read upon encountering a missing '\0' character. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11362 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-14339 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the MMSE dissector could go into an infinite loop. This was addressed in epan/proto.c by adding offset and length validation. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14339 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-14340 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, dissectors that support zlib decompression could crash. This was addressed in epan/tvbuff_zlib.c by rejecting negative lengths to avoid a buffer over-read. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14340 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-14341 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the DICOM dissector could go into a large or infinite loop. This was addressed in epan/dissectors/packet-dcm.c by preventing an offset overflow. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14341 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-14342 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the BGP protocol dissector could go into a large loop. This was addressed in epan/dissectors/packet-bgp.c by validating Path Attribute lengths. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14342 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-14343 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the ASN.1 BER dissector could crash. This was addressed in epan/dissectors/packet-ber.c by ensuring that length values do not exceed the maximum signed integer. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14343 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-14344 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the ISMP dissector could crash. This was addressed in epan/dissectors/packet-ismp.c by validating the IPX address length to avoid a buffer over-read. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14344 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-14367 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.1 and 2.4.0 to 2.4.7, the CoAP protocol dissector could crash. This was addressed in epan/dissectors/packet-coap.c by properly checking for a NULL condition. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14367 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-14368 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the Bazaar protocol dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-bzr.c by properly handling items that are too long. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14368 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-14369 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the HTTP2 dissector could crash. This was addressed in epan/dissectors/packet-http2.c by verifying that header data was found before proceeding to header decompression. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14369 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-14370 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.1 and 2.4.0 to 2.4.7, the IEEE 802.11 protocol dissector could crash. This was addressed in epan/crypt/airpdcap.c via bounds checking that prevents a buffer over-read. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14370 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-14438 CVE STATUS: Patched CVE SUMMARY: In Wireshark through 2.6.2, the create_app_running_mutex function in wsutil/file_util.c calls SetSecurityDescriptorDacl to set a NULL DACL, which allows attackers to modify the access control arbitrarily. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14438 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-16056 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.2, 2.4.0 to 2.4.8, and 2.2.0 to 2.2.16, the Bluetooth Attribute Protocol dissector could crash. This was addressed in epan/dissectors/packet-btatt.c by verifying that a dissector for a specific UUID exists. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16056 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-16057 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.2, 2.4.0 to 2.4.8, and 2.2.0 to 2.2.16, the Radiotap dissector could crash. This was addressed in epan/dissectors/packet-ieee80211-radiotap-iter.c by validating iterator operations. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16057 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-16058 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.2, 2.4.0 to 2.4.8, and 2.2.0 to 2.2.16, the Bluetooth AVDTP dissector could crash. This was addressed in epan/dissectors/packet-btavdtp.c by properly initializing a data structure. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16058 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-18225 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.3, the CoAP dissector could crash. This was addressed in epan/dissectors/packet-coap.c by ensuring that the piv length is correctly computed. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18225 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-18226 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.3, the Steam IHS Discovery dissector could consume system memory. This was addressed in epan/dissectors/packet-steam-ihs-discovery.c by changing the memory-management approach. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18226 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-18227 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.3 and 2.4.0 to 2.4.9, the MS-WSP protocol dissector could crash. This was addressed in epan/dissectors/packet-mswsp.c by properly handling NULL return values. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18227 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-19622 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the MMSE dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-mmse.c by preventing length overflows. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19622 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-19623 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the LBMPDM dissector could crash. In addition, a remote attacker could write arbitrary data to any memory locations before the packet-scoped memory. This was addressed in epan/dissectors/packet-lbmpdm.c by disallowing certain negative values. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19623 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-19624 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the PVFS dissector could crash. This was addressed in epan/dissectors/packet-pvfs2.c by preventing a NULL pointer dereference. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19624 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-19625 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the dissection engine could crash. This was addressed in epan/tvbuff_composite.c by preventing a heap-based buffer over-read. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19625 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-19626 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the DCOM dissector could crash. This was addressed in epan/dissectors/packet-dcom.c by adding '\0' termination. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19626 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-19627 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the IxVeriWave file parser could crash. This was addressed in wiretap/vwr.c by adjusting a buffer boundary. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19627 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-19628 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.4, the ZigBee ZCL dissector could crash. This was addressed in epan/dissectors/packet-zbee-zcl-lighting.c by preventing a divide-by-zero error. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19628 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-5334 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the IxVeriWave file parser could crash. This was addressed in wiretap/vwr.c by correcting the signature timestamp bounds checks. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5334 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-5335 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the WCP dissector could crash. This was addressed in epan/dissectors/packet-wcp.c by validating the available buffer length. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5335 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-5336 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the JSON, XML, NTP, XMPP, and GDB dissectors could crash. This was addressed in epan/tvbparse.c by limiting the recursion depth. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5336 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-6836 CVE STATUS: Patched CVE SUMMARY: The netmonrec_comment_destroy function in wiretap/netmon.c in Wireshark through 2.4.4 performs a free operation on an uninitialized memory address, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6836 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7320 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, the SIGCOMP protocol dissector could crash. This was addressed in epan/dissectors/packet-sigcomp.c by validating operand offsets. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7320 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7321 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-thrift.c had a large loop that was addressed by not proceeding with dissection after encountering an unexpected type. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7321 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7322 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-dcm.c had an infinite loop that was addressed by checking for integer wraparound. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7322 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7323 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-wccp.c had a large loop that was addressed by ensuring that a calculated length was monotonically increasing. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7323 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7324 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-sccp.c had an infinite loop that was addressed by using a correct integer data type. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7324 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7325 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-rpki-rtr.c had an infinite loop that was addressed by validating a length field. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7325 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7326 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-lltd.c had an infinite loop that was addressed by using a correct integer data type. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7326 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7327 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-openflow_v6.c had an infinite loop that was addressed by validating property lengths. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7327 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7328 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-usb.c had an infinite loop that was addressed by rejecting short frame header lengths. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7328 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7329 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-s7comm.c had an infinite loop that was addressed by correcting off-by-one errors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7329 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7330 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-thread.c had an infinite loop that was addressed by using a correct integer data type. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7330 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7331 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-ber.c had an infinite loop that was addressed by validating a length. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7331 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7332 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-reload.c had an infinite loop that was addressed by validating a length. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7332 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7333 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-rpcrdma.c had an infinite loop that was addressed by validating a chunk size. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7333 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7334 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, the UMTS MAC dissector could crash. This was addressed in epan/dissectors/packet-umts_mac.c by rejecting a certain reserved value. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7334 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7335 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, the IEEE 802.11 dissector could crash. This was addressed in epan/crypt/airpdcap.c by rejecting lengths that are too small. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7335 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7336 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, the FCP protocol dissector could crash. This was addressed in epan/dissectors/packet-fcp.c by checking for a NULL pointer. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7336 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7337 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.4, the DOCSIS protocol dissector could crash. This was addressed in plugins/docsis/packet-docsis.c by removing the recursive algorithm that had been used for concatenated PDUs. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7337 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7417 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the IPMI dissector could crash. This was addressed in epan/dissectors/packet-ipmi-picmg.c by adding support for crafted packets that lack an IPMI header. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7417 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7418 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the SIGCOMP dissector could crash. This was addressed in epan/dissectors/packet-sigcomp.c by correcting the extraction of the length value. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7418 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7419 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the NBAP dissector could crash. This was addressed in epan/dissectors/asn1/nbap/nbap.cnf by ensuring DCH ID initialization. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7419 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7420 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the pcapng file parser could crash. This was addressed in wiretap/pcapng.c by adding a block-size check for sysdig event blocks. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7420 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-7421 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the DMP dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-dmp.c by correctly supporting a bounded number of Security Categories for a DMP Security Classification. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7421 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-9256 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the LWAPP dissector could crash. This was addressed in epan/dissectors/packet-lwapp.c by limiting the encapsulation levels to restrict the recursion depth. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9256 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-9257 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.5, the CQL dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-cql.c by checking for a nonzero number of columns. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9257 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-9258 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.5, the TCP dissector could crash. This was addressed in epan/dissectors/packet-tcp.c by preserving valid data sources. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9258 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-9259 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the MP4 dissector could crash. This was addressed in epan/dissectors/file-mp4.c by restricting the box recursion depth. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9259 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-9260 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the IEEE 802.15.4 dissector could crash. This was addressed in epan/dissectors/packet-ieee802154.c by ensuring that an allocation step occurs. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9260 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-9261 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the NBAP dissector could crash with a large loop that ends with a heap-based buffer overflow. This was addressed in epan/dissectors/packet-nbap.c by prohibiting the self-linking of DCH-IDs. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9261 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-9262 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the VLAN dissector could crash. This was addressed in epan/dissectors/packet-vlan.c by limiting VLAN tag nesting to restrict the recursion depth. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9262 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-9263 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the Kerberos dissector could crash. This was addressed in epan/dissectors/packet-kerberos.c by ensuring a nonzero key length. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9263 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-9264 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the ADB dissector could crash with a heap-based buffer overflow. This was addressed in epan/dissectors/packet-adb.c by checking for a length inconsistency. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9264 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-9265 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packet-tn3270.c has a memory leak. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9265 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-9266 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packet-isup.c has a memory leak. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9266 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-9267 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packet-lapd.c has a memory leak. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9267 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-9268 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packet-smb2.c has a memory leak. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9268 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-9269 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packet-giop.c has a memory leak. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9269 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-9270 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/oids.c has a memory leak. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9270 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-9271 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packet-multipart.c has a memory leak. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9271 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-9272 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packet-h223.c has a memory leak. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9272 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-9273 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/dissectors/packet-pcp.c has a memory leak. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9273 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2018-9274 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ui/failure_message.c has a memory leak. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9274 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-10894 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the GSS-API dissector could crash. This was addressed in epan/dissectors/packet-gssapi.c by ensuring that a valid dissector is called. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10894 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-10895 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the NetScaler file parser could crash. This was addressed in wiretap/netscaler.c by improving data validation. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10895 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-10896 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the DOF dissector could crash. This was addressed in epan/dissectors/packet-dof.c by properly handling generated IID and OID bytes. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10896 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-10897 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.0.0, the IEEE 802.11 dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-ieee80211.c by detecting cases in which the bit offset does not advance. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10897 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-10898 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.0.0, the GSUP dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-gsm_gsup.c by rejecting an invalid Information Element length. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10898 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-10899 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the SRVLOC dissector could crash. This was addressed in epan/dissectors/packet-srvloc.c by preventing a heap-based buffer under-read. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10899 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-10900 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.0.0, the Rbm dissector could go into an infinite loop. This was addressed in epan/dissectors/file-rbm.c by handling unknown object types safely. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10900 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-10901 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the LDSS dissector could crash. This was addressed in epan/dissectors/packet-ldss.c by handling file digests properly. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10901 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-10902 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.0.0, the TSDNS dissector could crash. This was addressed in epan/dissectors/packet-tsdns.c by splitting strings safely. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10902 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-10903 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the DCERPC SPOOLSS dissector could crash. This was addressed in epan/dissectors/packet-dcerpc-spoolss.c by adding a boundary check. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10903 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-12295 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the dissection engine could crash. This was addressed in epan/packet.c by restricting the number of layers and consequently limiting recursion. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12295 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-13619 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.0.0 to 3.0.2, 2.6.0 to 2.6.9, and 2.4.0 to 2.4.15, the ASN.1 BER dissector and related dissectors could crash. This was addressed in epan/asn1.c by properly restricting buffer increments. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13619 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-16319 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.0.0 to 3.0.3 and 2.6.0 to 2.6.10, the Gryphon dissector could go into an infinite loop. This was addressed in plugins/epan/gryphon/packet-gryphon.c by checking for a message length of zero. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16319 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-19553 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.0.0 to 3.0.6 and 2.6.0 to 2.6.12, the CMS dissector could crash. This was addressed in epan/dissectors/asn1/cms/packet-cms-template.c by ensuring that an object identifier is set to NULL after a ContentInfo dissection. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19553 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-5716 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.5, the 6LoWPAN dissector could crash. This was addressed in epan/dissectors/packet-6lowpan.c by avoiding use of a TVB before its creation. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5716 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-5717 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.5 and 2.4.0 to 2.4.11, the P_MUL dissector could crash. This was addressed in epan/dissectors/packet-p_mul.c by rejecting the invalid sequence number of zero. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5717 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-5718 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.5 and 2.4.0 to 2.4.11, the RTSE dissector and other ASN.1 dissectors could crash. This was addressed in epan/charsets.c by adding a get_t61_string length check. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5718 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-5719 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.6.0 to 2.6.5 and 2.4.0 to 2.4.11, the ISAKMP dissector could crash. This was addressed in epan/dissectors/packet-isakmp.c by properly handling the case of a missing decryption data block. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5719 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-5721 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.11, the ENIP dissector could crash. This was addressed in epan/dissectors/packet-enip.c by changing the memory-management approach so that a use-after-free is avoided. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5721 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-9208 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the TCAP dissector could crash. This was addressed in epan/dissectors/asn1/tcap/tcap.cnf by avoiding NULL pointer dereferences. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9208 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-9209 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the ASN.1 BER and related dissectors could crash. This was addressed in epan/dissectors/packet-ber.c by preventing a buffer overflow associated with excessive digits in time values. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9209 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2019-9214 CVE STATUS: Patched CVE SUMMARY: In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the RPCAP dissector could crash. This was addressed in epan/dissectors/packet-rpcap.c by avoiding an attempted dereference of a NULL conversation. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9214 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2020-11647 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.2.0 to 3.2.2, 3.0.0 to 3.0.9, and 2.6.0 to 2.6.15, the BACapp dissector could crash. This was addressed in epan/dissectors/packet-bacapp.c by limiting the amount of recursion. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11647 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2020-13164 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.2.0 to 3.2.3, 3.0.0 to 3.0.10, and 2.6.0 to 2.6.16, the NFS dissector could crash. This was addressed in epan/dissectors/packet-nfs.c by preventing excessive recursion, such as for a cycle in the directory graph on a filesystem. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13164 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2020-15466 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.2.0 to 3.2.4, the GVCP dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-gvcp.c by ensuring that an offset increases in all situations. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15466 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2020-17498 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.2.0 to 3.2.5, the Kafka protocol dissector could crash. This was addressed in epan/dissectors/packet-kafka.c by avoiding a double free during LZ4 decompression. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17498 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2020-25862 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.2.0 to 3.2.6, 3.0.0 to 3.0.13, and 2.6.0 to 2.6.20, the TCP dissector could crash. This was addressed in epan/dissectors/packet-tcp.c by changing the handling of the invalid 0xFFFF checksum. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25862 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2020-25863 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.2.0 to 3.2.6, 3.0.0 to 3.0.13, and 2.6.0 to 2.6.20, the MIME Multipart dissector could crash. This was addressed in epan/dissectors/packet-multipart.c by correcting the deallocation of invalid MIME parts. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25863 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2020-25866 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.2.0 to 3.2.6 and 3.0.0 to 3.0.13, the BLIP protocol dissector has a NULL pointer dereference because a buffer was sized for compressed (not uncompressed) messages. This was addressed in epan/dissectors/packet-blip.c by allowing reasonable compression ratios and rejecting ZIP bombs. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25866 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2020-26418 CVE STATUS: Patched CVE SUMMARY: Memory leak in Kafka protocol dissector in Wireshark 3.4.0 and 3.2.0 to 3.2.8 allows denial of service via packet injection or crafted capture file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 3.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-26418 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2020-26419 CVE STATUS: Patched CVE SUMMARY: Memory leak in the dissection engine in Wireshark 3.4.0 allows denial of service via packet injection or crafted capture file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 3.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-26419 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2020-26420 CVE STATUS: Patched CVE SUMMARY: Memory leak in RTPS protocol dissector in Wireshark 3.4.0 and 3.2.0 to 3.2.8 allows denial of service via packet injection or crafted capture file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 3.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-26420 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2020-26421 CVE STATUS: Patched CVE SUMMARY: Crash in USB HID protocol dissector and possibly other dissectors in Wireshark 3.4.0 and 3.2.0 to 3.2.8 allows denial of service via packet injection or crafted capture file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 4.2 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-26421 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2020-26422 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in QUIC dissector in Wireshark 3.4.0 to 3.4.1 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-26422 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2020-26575 CVE STATUS: Patched CVE SUMMARY: In Wireshark through 3.2.7, the Facebook Zero Protocol (aka FBZERO) dissector could enter an infinite loop. This was addressed in epan/dissectors/packet-fbzero.c by correcting the implementation of offset advancement. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-26575 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2020-28030 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.2.0 to 3.2.7, the GQUIC dissector could crash. This was addressed in epan/dissectors/packet-gquic.c by correcting the implementation of offset advancement. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28030 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2020-7044 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.2.x before 3.2.1, the WASSP dissector could crash. This was addressed in epan/dissectors/packet-wassp.c by using >= and <= to resolve off-by-one errors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-7044 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2020-7045 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.0.x before 3.0.8, the BT ATT dissector could crash. This was addressed in epan/dissectors/packet-btatt.c by validating opcodes. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-7045 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2020-9428 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the EAP dissector could crash. This was addressed in epan/dissectors/packet-eap.c by using more careful sscanf parsing. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-9428 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2020-9429 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.2.0 to 3.2.1, the WireGuard dissector could crash. This was addressed in epan/dissectors/packet-wireguard.c by handling the situation where a certain data structure intentionally has a NULL value. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-9429 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2020-9430 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the WiMax DLMAP dissector could crash. This was addressed in plugins/epan/wimax/msg_dlmap.c by validating a length field. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-9430 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2020-9431 CVE STATUS: Patched CVE SUMMARY: In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-9431 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-22173 CVE STATUS: Patched CVE SUMMARY: Memory leak in USB HID dissector in Wireshark 3.4.0 to 3.4.2 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22173 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-22174 CVE STATUS: Patched CVE SUMMARY: Crash in USB HID dissector in Wireshark 3.4.0 to 3.4.2 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22174 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-22191 CVE STATUS: Patched CVE SUMMARY: Improper URL handling in Wireshark 3.4.0 to 3.4.3 and 3.2.0 to 3.2.11 could allow remote code execution via via packet injection or crafted capture file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22191 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-22207 CVE STATUS: Patched CVE SUMMARY: Excessive memory consumption in MS-WSP dissector in Wireshark 3.4.0 to 3.4.4 and 3.2.0 to 3.2.12 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22207 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-22222 CVE STATUS: Patched CVE SUMMARY: Infinite loop in DVB-S2-BB dissector in Wireshark 3.4.0 to 3.4.5 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22222 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-22235 CVE STATUS: Patched CVE SUMMARY: Crash in DNP dissector in Wireshark 3.4.0 to 3.4.6 and 3.2.0 to 3.2.14 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-22235 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-39920 CVE STATUS: Patched CVE SUMMARY: NULL pointer exception in the IPPUSB dissector in Wireshark 3.4.0 to 3.4.9 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-39920 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-39921 CVE STATUS: Patched CVE SUMMARY: NULL pointer exception in the Modbus dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-39921 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-39922 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the C12.22 dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-39922 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-39923 CVE STATUS: Patched CVE SUMMARY: Large loop in the PNRP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-39923 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-39924 CVE STATUS: Patched CVE SUMMARY: Large loop in the Bluetooth DHT dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-39924 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-39925 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-39925 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-39926 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the Bluetooth HCI_ISO dissector in Wireshark 3.4.0 to 3.4.9 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-39926 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-39928 CVE STATUS: Patched CVE SUMMARY: NULL pointer exception in the IEEE 802.11 dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-39928 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-39929 CVE STATUS: Patched CVE SUMMARY: Uncontrolled Recursion in the Bluetooth DHT dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-39929 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-4181 CVE STATUS: Patched CVE SUMMARY: Crash in the Sysdig Event dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4181 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-4182 CVE STATUS: Patched CVE SUMMARY: Crash in the RFC 7468 dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4182 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-4183 CVE STATUS: Patched CVE SUMMARY: Crash in the pcapng file parser in Wireshark 3.6.0 allows denial of service via crafted capture file CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4183 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-4184 CVE STATUS: Patched CVE SUMMARY: Infinite loop in the BitTorrent DHT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4184 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-4185 CVE STATUS: Patched CVE SUMMARY: Infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4185 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-4186 CVE STATUS: Patched CVE SUMMARY: Crash in the Gryphon dissector in Wireshark 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4186 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2021-4190 CVE STATUS: Patched CVE SUMMARY: Large loop in the Kafka dissector in Wireshark 3.6.0 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4190 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2022-0581 CVE STATUS: Patched CVE SUMMARY: Crash in the CMS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0581 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2022-0582 CVE STATUS: Patched CVE SUMMARY: Unaligned access in the CSN.1 protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0582 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2022-0583 CVE STATUS: Patched CVE SUMMARY: Crash in the PVFS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0583 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2022-0585 CVE STATUS: Patched CVE SUMMARY: Large loops in multiple protocol dissectors in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allow denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0585 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2022-0586 CVE STATUS: Patched CVE SUMMARY: Infinite loop in RTMPT protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0586 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2022-3190 CVE STATUS: Patched CVE SUMMARY: Infinite loop in the F5 Ethernet Trailer protocol dissector in Wireshark 3.6.0 to 3.6.7 and 3.4.0 to 3.4.15 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3190 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2022-3724 CVE STATUS: Patched CVE SUMMARY: Crash in the USB HID protocol dissector in Wireshark 3.6.0 to 3.6.8 allows denial of service via packet injection or crafted capture file on Windows CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3724 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2022-3725 CVE STATUS: Patched CVE SUMMARY: Crash in the OPUS protocol dissector in Wireshark 3.6.0 to 3.6.8 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3725 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2022-4344 CVE STATUS: Patched CVE SUMMARY: Memory exhaustion in the Kafka protocol dissector in Wireshark 4.0.0 to 4.0.1 and 3.6.0 to 3.6.9 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4344 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2022-4345 CVE STATUS: Patched CVE SUMMARY: Infinite loops in the BPv6, OpenFlow, and Kafka protocol dissectors in Wireshark 4.0.0 to 4.0.1 and 3.6.0 to 3.6.9 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4345 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-0411 CVE STATUS: Patched CVE SUMMARY: Excessive loops in multiple dissectors in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0411 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-0412 CVE STATUS: Patched CVE SUMMARY: TIPC dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0412 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-0413 CVE STATUS: Patched CVE SUMMARY: Dissection engine bug in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0413 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-0414 CVE STATUS: Patched CVE SUMMARY: Crash in the EAP dissector in Wireshark 4.0.0 to 4.0.2 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0414 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-0415 CVE STATUS: Patched CVE SUMMARY: iSCSI dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0415 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-0416 CVE STATUS: Patched CVE SUMMARY: GNW dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0416 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-0417 CVE STATUS: Patched CVE SUMMARY: Memory leak in the NFS dissector in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0417 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-0666 CVE STATUS: Patched CVE SUMMARY: Due to failure in validating the length provided by an attacker-crafted RTPS packet, Wireshark version 4.0.5 and prior, by default, is susceptible to a heap-based buffer overflow, and possibly code execution in the context of the process running Wireshark. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0666 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-0667 CVE STATUS: Patched CVE SUMMARY: Due to failure in validating the length provided by an attacker-crafted MSMMS packet, Wireshark version 4.0.5 and prior, in an unusual configuration, is susceptible to a heap-based buffer overflow, and possibly code execution in the context of the process running Wireshark CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0667 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-0668 CVE STATUS: Patched CVE SUMMARY: Due to failure in validating the length provided by an attacker-crafted IEEE-C37.118 packet, Wireshark version 4.0.5 and prior, by default, is susceptible to a heap-based buffer overflow, and possibly code execution in the context of the process running Wireshark. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0668 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-1161 CVE STATUS: Patched CVE SUMMARY: ISO 15765 and ISO 10681 dissector crash in Wireshark 4.0.0 to 4.0.3 and 3.6.0 to 3.6.11 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1161 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-1992 CVE STATUS: Patched CVE SUMMARY: RPCoRDMA dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1992 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-1993 CVE STATUS: Patched CVE SUMMARY: LISP dissector large loop in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1993 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-1994 CVE STATUS: Patched CVE SUMMARY: GQUIC dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1994 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-2854 CVE STATUS: Patched CVE SUMMARY: BLF file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2854 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-2855 CVE STATUS: Patched CVE SUMMARY: Candump log parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2855 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-2856 CVE STATUS: Patched CVE SUMMARY: VMS TCPIPtrace file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2856 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-2857 CVE STATUS: Patched CVE SUMMARY: BLF file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2857 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-2858 CVE STATUS: Patched CVE SUMMARY: NetScaler file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2858 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-2879 CVE STATUS: Patched CVE SUMMARY: GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2879 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-2906 CVE STATUS: Patched CVE SUMMARY: Due to a failure in validating the length provided by an attacker-crafted CP2179 packet, Wireshark versions 2.0.0 through 4.0.7 is susceptible to a divide by zero allowing for a denial of service attack. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2906 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-2952 CVE STATUS: Patched CVE SUMMARY: XRA dissector infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2952 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-3648 CVE STATUS: Patched CVE SUMMARY: Kafka dissector crash in Wireshark 4.0.0 to 4.0.6 and 3.6.0 to 3.6.14 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3648 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-3649 CVE STATUS: Patched CVE SUMMARY: iSCSI dissector crash in Wireshark 4.0.0 to 4.0.6 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3649 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-4511 CVE STATUS: Patched CVE SUMMARY: BT SDP dissector infinite loop in Wireshark 4.0.0 to 4.0.7 and 3.6.0 to 3.6.15 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4511 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-4512 CVE STATUS: Patched CVE SUMMARY: CBOR dissector crash in Wireshark 4.0.0 to 4.0.6 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4512 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-4513 CVE STATUS: Patched CVE SUMMARY: BT SDP dissector memory leak in Wireshark 4.0.0 to 4.0.7 and 3.6.0 to 3.6.15 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4513 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-5371 CVE STATUS: Patched CVE SUMMARY: RTPS dissector memory leak in Wireshark 4.0.0 to 4.0.8 and 3.6.0 to 3.6.16 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5371 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-6174 CVE STATUS: Patched CVE SUMMARY: SSH dissector crash in Wireshark 4.0.0 to 4.0.10 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6174 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2023-6175 CVE STATUS: Patched CVE SUMMARY: NetScreen file parser crash in Wireshark 4.0.0 to 4.0.10 and 3.6.0 to 3.6.18 allows denial of service via crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6175 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2024-0207 CVE STATUS: Patched CVE SUMMARY: HTTP3 dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0207 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2024-0208 CVE STATUS: Patched CVE SUMMARY: GVCP dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3.6.0 to 3.6.19 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0208 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2024-0209 CVE STATUS: Patched CVE SUMMARY: IEEE 1609.2 dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3.6.0 to 3.6.19 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0209 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2024-0210 CVE STATUS: Patched CVE SUMMARY: Zigbee TLV dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0210 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2024-0211 CVE STATUS: Patched CVE SUMMARY: DOCSIS dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0211 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2024-11595 CVE STATUS: Patched CVE SUMMARY: FiveCo RAP dissector infinite loop in Wireshark 4.4.0 to 4.4.1 and 4.2.0 to 4.2.8 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-11595 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2024-11596 CVE STATUS: Patched CVE SUMMARY: ECMP dissector crash in Wireshark 4.4.0 to 4.4.1 and 4.2.0 to 4.2.8 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-11596 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2024-24476 CVE STATUS: Patched CVE SUMMARY: A buffer overflow in Wireshark before 4.2.0 allows a remote attacker to cause a denial of service via the pan/addr_resolv.c, and ws_manuf_lookup_str(), size components. NOTE: this is disputed by the vendor because neither release 4.2.0 nor any other release was affected. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-24476 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2024-24478 CVE STATUS: Patched CVE SUMMARY: An issue in Wireshark before 4.2.0 allows a remote attacker to cause a denial of service via the packet-bgp.c, dissect_bgp_open(tvbuff_t*tvb, proto_tree*tree, packet_info*pinfo), optlen components. NOTE: this is disputed by the vendor because neither release 4.2.0 nor any other release was affected. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-24478 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2024-24479 CVE STATUS: Patched CVE SUMMARY: A Buffer Overflow in Wireshark before 4.2.0 allows a remote attacker to cause a denial of service via the wsutil/to_str.c, and format_fractional_part_nsecs components. NOTE: this is disputed by the vendor because neither release 4.2.0 nor any other release was affected. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-24479 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2024-2955 CVE STATUS: Patched CVE SUMMARY: T.38 dissector crash in Wireshark 4.2.0 to 4.0.3 and 4.0.0 to 4.0.13 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-2955 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2024-4853 CVE STATUS: Patched CVE SUMMARY: Memory handling issue in editcap could cause denial of service via crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-4853 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2024-4854 CVE STATUS: Patched CVE SUMMARY: MONGO and ZigBee TLV dissector infinite loops in Wireshark 4.2.0 to 4.2.4, 4.0.0 to 4.0.14, and 3.6.0 to 3.6.22 allow denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-4854 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2024-4855 CVE STATUS: Patched CVE SUMMARY: Use after free issue in editcap could cause denial of service via crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-4855 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2024-8250 CVE STATUS: Patched CVE SUMMARY: NTLMSSP dissector crash in Wireshark 4.2.0 to 4.0.6 and 4.0.0 to 4.0.16 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-8250 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2024-8645 CVE STATUS: Patched CVE SUMMARY: SPRT dissector crash in Wireshark 4.2.0 to 4.0.5 and 4.0.0 to 4.0.15 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-8645 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2024-9780 CVE STATUS: Patched CVE SUMMARY: ITS dissector crash in Wireshark 4.4.0 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-9780 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2024-9781 CVE STATUS: Patched CVE SUMMARY: AppleTalk and RELOAD Framing dissector crash in Wireshark 4.4.0 and 4.2.0 to 4.2.7 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-9781 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2025-11626 CVE STATUS: Patched CVE SUMMARY: MONGO dissector infinite loop in Wireshark 4.4.0 to 4.4.9 and 4.2.0 to 4.2.13 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-11626 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2025-13499 CVE STATUS: Patched CVE SUMMARY: Kafka dissector crash in Wireshark 4.6.0 and 4.4.0 to 4.4.10 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-13499 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2025-13674 CVE STATUS: Patched CVE SUMMARY: BPv7 dissector crash in Wireshark 4.6.0 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-13674 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2025-13945 CVE STATUS: Patched CVE SUMMARY: HTTP3 dissector crash in Wireshark 4.6.0 and 4.6.1 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-13945 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2025-13946 CVE STATUS: Patched CVE SUMMARY: MEGACO dissector infinite loop in Wireshark 4.6.0 to 4.6.1 and 4.4.0 to 4.4.11 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-13946 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2025-1492 CVE STATUS: Patched CVE SUMMARY: Bundle Protocol and CBOR dissector crashes in Wireshark 4.4.0 to 4.4.3 and 4.2.0 to 4.2.10 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-1492 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2025-5601 CVE STATUS: Patched CVE SUMMARY: Column handling crashes in Wireshark 4.4.0 to 4.4.6 and 4.2.0 to 4.2.12 allows denial of service via packet injection or crafted capture file CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-5601 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2025-9817 CVE STATUS: Patched CVE SUMMARY: SSH dissector crash in Wireshark 4.4.0 to 4.4.8 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-9817 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-0959 CVE STATUS: Patched CVE SUMMARY: IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-0959 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-0960 CVE STATUS: Patched CVE SUMMARY: HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-0960 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-0961 CVE STATUS: Patched CVE SUMMARY: BLF file parser crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-0961 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-0962 CVE STATUS: Patched CVE SUMMARY: SOME/IP-SD protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-0962 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-3201 CVE STATUS: Patched CVE SUMMARY: USB HID protocol dissector memory exhaustion in Wireshark 4.6.0 to 4.6.3 and 4.4.0 to 4.4.13 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3201 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-3202 CVE STATUS: Patched CVE SUMMARY: NTS-KE protocol dissector crash in Wireshark 4.6.0 to 4.6.3 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3202 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-3203 CVE STATUS: Patched CVE SUMMARY: RF4CE Profile protocol dissector crash in Wireshark 4.6.0 to 4.6.3 and 4.4.0 to 4.4.13 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3203 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-5299 CVE STATUS: Patched CVE SUMMARY: ICMPv6 PvD protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5299 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-5401 CVE STATUS: Patched CVE SUMMARY: AFP Spotlight protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5401 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-5402 CVE STATUS: Patched CVE SUMMARY: TLS protocol dissector heap overflow in Wireshark 4.6.0 to 4.6.4 allows denial of service and possible code execution CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5402 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-5403 CVE STATUS: Patched CVE SUMMARY: SBC codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and possible code execution CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5403 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-5404 CVE STATUS: Patched CVE SUMMARY: K12 RF5 file parser crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5404 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-5405 CVE STATUS: Patched CVE SUMMARY: RDP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and possible code execution CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5405 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-5406 CVE STATUS: Patched CVE SUMMARY: FC-SWILS protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5406 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-5407 CVE STATUS: Patched CVE SUMMARY: SMB2 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5407 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-5408 CVE STATUS: Patched CVE SUMMARY: BT-DHT protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5408 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-5409 CVE STATUS: Patched CVE SUMMARY: Monero protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5409 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-5653 CVE STATUS: Patched CVE SUMMARY: DCP-ETSI protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5653 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-5654 CVE STATUS: Patched CVE SUMMARY: AMR-NB codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5654 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-5655 CVE STATUS: Patched CVE SUMMARY: SDP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5655 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-5656 CVE STATUS: Patched CVE SUMMARY: Profile import path traversal in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and possible code execution CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5656 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-5657 CVE STATUS: Patched CVE SUMMARY: iLBC codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5657 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6519 CVE STATUS: Patched CVE SUMMARY: MBIM protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6519 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6520 CVE STATUS: Patched CVE SUMMARY: OpenFlow v6 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6520 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6521 CVE STATUS: Patched CVE SUMMARY: OpenFlow v5 protocol dissector infinite loops in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6521 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6522 CVE STATUS: Patched CVE SUMMARY: RPKI-Router protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6522 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6523 CVE STATUS: Patched CVE SUMMARY: GNW protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6523 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6524 CVE STATUS: Patched CVE SUMMARY: MySQL protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6524 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6525 CVE STATUS: Patched CVE SUMMARY: IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.4 CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6525 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6526 CVE STATUS: Patched CVE SUMMARY: RTSP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6526 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6527 CVE STATUS: Patched CVE SUMMARY: ASN.1 PER protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6527 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6528 CVE STATUS: Patched CVE SUMMARY: TLS protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6528 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6529 CVE STATUS: Patched CVE SUMMARY: iLBC audio codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6529 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6530 CVE STATUS: Patched CVE SUMMARY: DCP-ETSI protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6530 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6531 CVE STATUS: Patched CVE SUMMARY: SANE protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6531 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6532 CVE STATUS: Patched CVE SUMMARY: Kismet protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6532 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6533 CVE STATUS: Patched CVE SUMMARY: Dissection engine LZ77 decompression crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6533 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6534 CVE STATUS: Patched CVE SUMMARY: USB HID protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6534 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6535 CVE STATUS: Patched CVE SUMMARY: Dissection engine zlib decompression crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6535 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6536 CVE STATUS: Patched CVE SUMMARY: DLMS/COSEM protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6536 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6537 CVE STATUS: Patched CVE SUMMARY: ZigBee protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6537 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6538 CVE STATUS: Patched CVE SUMMARY: BEEP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6538 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6867 CVE STATUS: Patched CVE SUMMARY: SMB2 protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6867 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6868 CVE STATUS: Patched CVE SUMMARY: HTTP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6868 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6869 CVE STATUS: Patched CVE SUMMARY: WebSocket protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6869 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-6870 CVE STATUS: Patched CVE SUMMARY: GSM RP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6870 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-7375 CVE STATUS: Patched CVE SUMMARY: UDS protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-7375 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-7376 CVE STATUS: Patched CVE SUMMARY: Crash in sharkd 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-7376 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-7378 CVE STATUS: Patched CVE SUMMARY: Crash in sharkd 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-7378 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-7379 CVE STATUS: Patched CVE SUMMARY: Memory leak in sharkd 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-7379 LAYER: meta-networking PACKAGE NAME: wireshark PACKAGE VERSION: 1_4.2.14 CVE: CVE-2026-9759 CVE STATUS: Patched CVE SUMMARY: ROHC protocol dissector crash in Wireshark 4.6.0 to 4.6.5 and 4.4.0 to 4.4.15 allows denial of service CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-9759 LAYER: meta PACKAGE NAME: iputils PACKAGE VERSION: 20240117 CVE: CVE-2000-1213 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: Fixed in 2000-10-10, but the versioning of iputils breaks the version order. CVE SUMMARY: ping in iputils before 20001010, as distributed on Red Hat Linux 6.2 through 7J and other operating systems, does not drop privileges after acquiring a raw socket, which increases ping's exposure to bugs that otherwise would occur at lower privileges. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-1213 LAYER: meta PACKAGE NAME: iputils PACKAGE VERSION: 20240117 CVE: CVE-2000-1214 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: Fixed in 2000-10-10, but the versioning of iputils breaks the version order. CVE SUMMARY: Buffer overflows in the (1) outpack or (2) buf variables of ping in iputils before 20001010, as distributed on Red Hat Linux 6.2 through 7J and other operating systems, may allow local users to gain privileges. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-1214 LAYER: meta PACKAGE NAME: iputils PACKAGE VERSION: 20240117 CVE: CVE-2010-2529 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in ping.c in iputils 20020927, 20070202, 20071127, and 20100214 on Mandriva Linux allows remote attackers to cause a denial of service (hang) via a crafted echo response. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2529 LAYER: meta PACKAGE NAME: iputils PACKAGE VERSION: 20240117 CVE: CVE-2025-47268 CVE STATUS: Patched CVE SUMMARY: ping in iputils before 20250602 allows a denial of service (application error or incorrect data collection) via a crafted ICMP Echo Reply packet, because of a signed 64-bit integer overflow in timestamp multiplication. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-47268 LAYER: meta PACKAGE NAME: iputils PACKAGE VERSION: 20240117 CVE: CVE-2025-48964 CVE STATUS: Patched CVE SUMMARY: ping in iputils before 20250602 allows a denial of service (application error in adaptive ping mode or incorrect data collection) via a crafted ICMP Echo Reply packet, because a zero timestamp can lead to large intermediate values that have an integer overflow when squared during statistics calculations. NOTE: this issue exists because of an incomplete fix for CVE-2025-47268 (that fix was only about timestamp calculations, and it did not account for a specific scenario where the original timestamp in the ICMP payload is zero). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-48964 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2004-0691 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0691 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2004-0692 CVE STATUS: Patched CVE SUMMARY: The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0692 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2004-0693 CVE STATUS: Patched CVE SUMMARY: The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0693 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2005-0627 CVE STATUS: Patched CVE SUMMARY: Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0627 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2006-4811 CVE STATUS: Patched CVE SUMMARY: Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4811 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2007-0242 CVE STATUS: Patched CVE SUMMARY: The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0242 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2007-3388 CVE STATUS: Patched CVE SUMMARY: Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3388 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2007-4137 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4137 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2009-2700 CVE STATUS: Patched CVE SUMMARY: src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2700 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2010-1766 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1766 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2010-2621 CVE STATUS: Patched CVE SUMMARY: The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2621 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2010-5076 CVE STATUS: Patched CVE SUMMARY: QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5076 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2011-3193 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2011-3194 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3194 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2012-5624 CVE STATUS: Patched CVE SUMMARY: The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5624 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2012-6093 CVE STATUS: Patched CVE SUMMARY: The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6093 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2013-0254 CVE STATUS: Patched CVE SUMMARY: The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0254 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2013-4549 CVE STATUS: Patched CVE SUMMARY: QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4549 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2014-0190 CVE STATUS: Patched CVE SUMMARY: The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0190 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-0295 CVE STATUS: Patched CVE SUMMARY: The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0295 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-1290 CVE STATUS: Patched CVE SUMMARY: The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1290 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-1858 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1858 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-1859 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1859 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-1860 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1860 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-7298 CVE STATUS: Patched CVE SUMMARY: ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7298 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-9541 CVE STATUS: Patched CVE SUMMARY: Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9541 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2017-10904 CVE STATUS: Patched CVE SUMMARY: Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10904 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2017-10905 CVE STATUS: Patched CVE SUMMARY: A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10905 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2017-15011 CVE STATUS: Patched CVE SUMMARY: The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15011 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-15518 CVE STATUS: Patched CVE SUMMARY: QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15518 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19865 CVE STATUS: Patched CVE SUMMARY: A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19865 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19869 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19869 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19870 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19870 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19871 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19871 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19872 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19872 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19873 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19873 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-21035 CVE STATUS: Patched CVE SUMMARY: In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21035 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-0569 CVE STATUS: Patched CVE SUMMARY: Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 5.7 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0569 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-0570 CVE STATUS: Patched CVE SUMMARY: Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0570 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-12267 CVE STATUS: Patched CVE SUMMARY: setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12267 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-13962 CVE STATUS: Patched CVE SUMMARY: Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.) CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13962 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-17507 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17507 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-24742 CVE STATUS: Patched CVE SUMMARY: An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24742 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2021-28025 CVE STATUS: Patched CVE SUMMARY: Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28025 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2021-3481 CVE STATUS: Patched CVE SUMMARY: A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3481 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2021-38593 CVE STATUS: Patched CVE SUMMARY: Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38593 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2022-25255 CVE STATUS: Patched CVE SUMMARY: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25255 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2022-25634 CVE STATUS: Patched CVE SUMMARY: Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25634 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2022-40983 CVE STATUS: Patched CVE SUMMARY: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40983 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2022-43591 CVE STATUS: Patched CVE SUMMARY: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43591 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-24607 CVE STATUS: Patched CVE SUMMARY: Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24607 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32573 CVE STATUS: Unpatched CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32573 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32762 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32762 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32763 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32763 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-33285 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33285 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-34410 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34410 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-37369 CVE STATUS: Unpatched CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37369 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-38197 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38197 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-43114 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43114 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-51714 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51714 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-25580 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-25580 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-30161 CVE STATUS: Patched CVE SUMMARY: In Qt 6.5.4, 6.5.5, and 6.6.2, QNetworkReply header data might be accessed via a dangling pointer in Qt for WebAssembly (wasm). (Earlier and later versions are unaffected.) CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-30161 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-36048 CVE STATUS: Unpatched CVE SUMMARY: QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36048 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-39936 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed.. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39936 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2025-14576 CVE STATUS: Patched CVE SUMMARY: Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 7.4 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-14576 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2025-30348 CVE STATUS: Unpatched CVE SUMMARY: encodeText in QDom in Qt before 6.8.0 has a complex algorithm involving XML string copy and inline replacement of parts of a string (with relocation of later data). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-30348 LAYER: meta-qt5 PACKAGE NAME: qtdeclarative PACKAGE VERSION: 5.15.13+git CVE: CVE-2025-5683 CVE STATUS: Patched CVE SUMMARY: When loading a specifically crafted ICNS format image file in QImage then it will trigger a crash. This issue affects Qt from versions 6.3.0 through 6.5.9, from 6.6.0 through 6.8.4, 6.9.0. This is fixed in 6.5.10, 6.8.5 and 6.9.1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 5.1 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-5683 LAYER: meta PACKAGE NAME: fontconfig PACKAGE VERSION: 2.15.0 CVE: CVE-2016-5384 CVE STATUS: Patched CVE SUMMARY: fontconfig before 2.12.1 does not validate offsets, which allows local users to trigger arbitrary free calls and consequently conduct double free attacks and execute arbitrary code via a crafted cache file. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5384 LAYER: meta PACKAGE NAME: fontconfig PACKAGE VERSION: 2.15.0 CVE: CVE-2026-34085 CVE STATUS: Patched CVE SUMMARY: fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-34085 LAYER: meta PACKAGE NAME: python3-jinja2 PACKAGE VERSION: 3.1.6 CVE: CVE-2014-0012 CVE STATUS: Patched CVE SUMMARY: FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0012 LAYER: meta PACKAGE NAME: python3-jinja2 PACKAGE VERSION: 3.1.6 CVE: CVE-2014-1402 CVE STATUS: Patched CVE SUMMARY: The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1402 LAYER: meta PACKAGE NAME: python3-jinja2 PACKAGE VERSION: 3.1.6 CVE: CVE-2016-10745 CVE STATUS: Patched CVE SUMMARY: In Pallets Jinja before 2.8.1, str.format allows a sandbox escape. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10745 LAYER: meta PACKAGE NAME: python3-jinja2 PACKAGE VERSION: 3.1.6 CVE: CVE-2019-10906 CVE STATUS: Patched CVE SUMMARY: In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-10906 LAYER: meta PACKAGE NAME: python3-jinja2 PACKAGE VERSION: 3.1.6 CVE: CVE-2019-8341 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8341 LAYER: meta PACKAGE NAME: python3-jinja2 PACKAGE VERSION: 3.1.6 CVE: CVE-2020-28493 CVE STATUS: Patched CVE SUMMARY: This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28493 LAYER: meta PACKAGE NAME: python3-jinja2 PACKAGE VERSION: 3.1.6 CVE: CVE-2024-22195 CVE STATUS: Patched CVE SUMMARY: Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-22195 LAYER: meta PACKAGE NAME: python3-jinja2 PACKAGE VERSION: 3.1.6 CVE: CVE-2024-34064 CVE STATUS: Patched CVE SUMMARY: Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe. This vulnerability is fixed in 3.1.4. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-34064 LAYER: meta PACKAGE NAME: python3-jinja2 PACKAGE VERSION: 3.1.6 CVE: CVE-2024-56201 CVE STATUS: Patched CVE SUMMARY: Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename. This vulnerability is fixed in 3.1.5. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 5.4 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-56201 LAYER: meta PACKAGE NAME: python3-jinja2 PACKAGE VERSION: 3.1.6 CVE: CVE-2024-56326 CVE STATUS: Patched CVE SUMMARY: Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's format method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox. This vulnerability is fixed in 3.1.5. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 5.4 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-56326 LAYER: meta PACKAGE NAME: python3-jinja2 PACKAGE VERSION: 3.1.6 CVE: CVE-2025-27516 CVE STATUS: Patched CVE SUMMARY: Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup. This vulnerability is fixed in 3.1.6. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 5.4 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-27516 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-1999-0199 CVE STATUS: Patched CVE SUMMARY: manual/search.texi in the GNU C Library (aka glibc) before 2.2 lacks a statement about the unspecified tdelete return value upon deletion of a tree's root, which might allow attackers to access a dangling pointer in an application whose developer was unaware of a documentation update from 1999. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-0199 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2000-0335 CVE STATUS: Patched CVE SUMMARY: The resolver in glibc 2.1.3 uses predictable IDs, which allows a local attacker to spoof DNS query results. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0335 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2000-0824 CVE STATUS: Patched CVE SUMMARY: The unsetenv function in glibc 2.1.1 does not properly unset an environmental variable if the variable is provided twice to a program, which could allow local users to execute arbitrary commands in setuid programs by specifying their own duplicate environmental variables such as LD_PRELOAD or LD_LIBRARY_PATH. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0824 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2000-0959 CVE STATUS: Patched CVE SUMMARY: glibc2 does not properly clear the LD_DEBUG_OUTPUT and LD_DEBUG environmental variables when a program is spawned from a setuid program, which could allow local users to overwrite files via a symlink attack. CVSS v2 BASE SCORE: 1.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0959 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2002-0684 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0684 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2002-1146 CVE STATUS: Patched CVE SUMMARY: The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, use the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1146 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2002-1265 CVE STATUS: Patched CVE SUMMARY: The Sun RPC functionality in multiple libc implementations does not provide a time-out mechanism when reading data from TCP connections, which allows remote attackers to cause a denial of service (hang). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1265 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2003-0028 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0028 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2003-0859 CVE STATUS: Patched CVE SUMMARY: The getifaddrs function in GNU libc (glibc) 2.2.4 and earlier allows local users to cause a denial of service by sending spoofed messages as other users to the kernel netlink interface. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0859 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2004-0968 CVE STATUS: Patched CVE SUMMARY: The catchsegv script in glibc 2.3.2 and earlier allows local users to overwrite files via a symlink attack on temporary files. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0968 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2004-1382 CVE STATUS: Patched CVE SUMMARY: The glibcbug script in glibc 2.3.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CVE-2004-0968. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1382 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2004-1453 CVE STATUS: Patched CVE SUMMARY: GNU glibc 2.3.4 before 2.3.4.20040619, 2.3.3 before 2.3.3.20040420, and 2.3.2 before 2.3.2-r10 does not restrict the use of LD_DEBUG for a setuid program, which allows local users to gain sensitive information, such as the list of symbols used by the program. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1453 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2005-3590 CVE STATUS: Patched CVE SUMMARY: The getgrouplist function in the GNU C library (glibc) before version 2.3.5, when invoked with a zero argument, writes to the passed pointer even if the specified array size is zero, leading to a buffer overflow and potentially allowing attackers to corrupt memory. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-3590 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2006-7254 CVE STATUS: Patched CVE SUMMARY: The nscd daemon in the GNU C Library (glibc) before version 2.5 does not close incoming client sockets if they cannot be handled by the daemon, allowing local users to carry out a denial of service attack on the daemon. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7254 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2007-3508 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the process_envvars function in elf/rtld.c in glibc before 2.5-rc4 might allow local users to execute arbitrary code via a large LD_HWCAP_MASK environment variable value. NOTE: the glibc maintainers state that they do not believe that this issue is exploitable for code execution CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3508 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2009-4880 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the strfmon implementation in the GNU C Library (aka glibc or libc6) 2.10.1 and earlier allow context-dependent attackers to cause a denial of service (memory consumption or application crash) via a crafted format string, as demonstrated by a crafted first argument to the money_format function in PHP, a related issue to CVE-2008-1391. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4880 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2009-4881 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in the strfmon implementation in the GNU C Library (aka glibc or libc6) before 2.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted format string, as demonstrated by the %99999999999999999999n string, a related issue to CVE-2008-1391. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4881 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2009-5029 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the __tzfile_read function in glibc before 2.15 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted timezone (TZ) file, as demonstrated using vsftpd. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-5029 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2009-5064 CVE STATUS: Patched CVE SUMMARY: ldd in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows local users to gain privileges via a Trojan horse executable file linked with a modified loader that omits certain LD_TRACE_LOADED_OBJECTS checks. NOTE: the GNU C Library vendor states "This is just nonsense. There are a gazillion other ways to introduce code if people are downloading arbitrary binaries and install them in appropriate directories or set LD_LIBRARY_PATH etc. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-5064 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2009-5155 CVE STATUS: Patched CVE SUMMARY: In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service (assertion failure and application exit) or trigger an incorrect result by attempting a regular-expression match. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-5155 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2010-0015 CVE STATUS: Patched CVE SUMMARY: nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0015 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2010-0296 CVE STATUS: Patched CVE SUMMARY: The encode_name macro in misc/mntent_r.c in the GNU C Library (aka glibc or libc6) 2.11.1 and earlier, as used by ncpmount and mount.cifs, does not properly handle newline characters in mountpoint names, which allows local users to cause a denial of service (mtab corruption), or possibly modify mount options and gain privileges, via a crafted mount request. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0296 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2010-0830 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in the elf_get_dynamic_info function in elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6) 2.0.1 through 2.11.1, when the --verify option is used, allows user-assisted remote attackers to execute arbitrary code via a crafted ELF program with a negative value for a certain d_tag structure member in the ELF header. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0830 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2010-3192 CVE STATUS: Patched CVE SUMMARY: Certain run-time memory protection mechanisms in the GNU C Library (aka glibc or libc6) print argv[0] and backtrace information, which might allow context-dependent attackers to obtain sensitive information from process memory by executing an incorrect program, as demonstrated by a setuid program that contains a stack-based buffer overflow error, related to the __fortify_fail function in debug/fortify_fail.c, and the __stack_chk_fail (aka stack protection) and __chk_fail (aka FORTIFY_SOURCE) implementations. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3192 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2010-3847 CVE STATUS: Patched CVE SUMMARY: elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3847 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2010-3856 CVE STATUS: Patched CVE SUMMARY: ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x before 2.12.2, does not properly restrict use of the LD_AUDIT environment variable to reference dynamic shared objects (DSOs) as audit objects, which allows local users to gain privileges by leveraging an unsafe DSO located in a trusted library directory, as demonstrated by libpcprofile.so. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3856 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2010-4051 CVE STATUS: Patched CVE SUMMARY: The regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (application crash) via a regular expression containing adjacent bounded repetitions that bypass the intended RE_DUP_MAX limitation, as demonstrated by a {10,}{10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD, related to a "RE_DUP_MAX overflow." CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4051 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2010-4052 CVE STATUS: Patched CVE SUMMARY: Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4052 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2010-4756 CVE STATUS: Ignored CVE DETAIL: upstream-wontfix CVE DESCRIPTION: Issue is memory exhaustion via glob() calls, e.g. from within an ftp server Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 Upstream don't see it as a security issue, ftp servers shouldn't be passing this to libc glob. Upstream have no plans to add BSD's GLOB_LIMIT or similar. CVE SUMMARY: The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4756 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2011-0536 CVE STATUS: Patched CVE SUMMARY: Multiple untrusted search path vulnerabilities in elf/dl-object.c in certain modified versions of the GNU C Library (aka glibc or libc6), including glibc-2.5-49.el5_5.6 and glibc-2.12-1.7.el6_0.3 in Red Hat Enterprise Linux, allow local users to gain privileges via a crafted dynamic shared object (DSO) in a subdirectory of the current working directory during execution of a (1) setuid or (2) setgid program that has $ORIGIN in (a) RPATH or (b) RUNPATH within the program itself or a referenced library. NOTE: this issue exists because of an incorrect fix for CVE-2010-3847. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0536 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2011-1071 CVE STATUS: Patched CVE SUMMARY: The GNU C Library (aka glibc or libc6) before 2.12.2 and Embedded GLIBC (EGLIBC) allow context-dependent attackers to execute arbitrary code or cause a denial of service (memory consumption) via a long UTF8 string that is used in an fnmatch call, aka a "stack extension attack," a related issue to CVE-2010-2898, CVE-2010-1917, and CVE-2007-4782, as originally reported for use of this library by Google Chrome. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1071 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2011-1089 CVE STATUS: Patched CVE SUMMARY: The addmntent function in the GNU C Library (aka glibc or libc6) 2.13 and earlier does not report an error status for failed attempts to write to the /etc/mtab file, which makes it easier for local users to trigger corruption of this file, as demonstrated by writes from a process with a small RLIMIT_FSIZE value, a different vulnerability than CVE-2010-0296. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1089 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2011-1095 CVE STATUS: Patched CVE SUMMARY: locale/programs/locale.c in locale in the GNU C Library (aka glibc or libc6) before 2.13 does not quote its output, which might allow local users to gain privileges via a crafted localization environment variable, in conjunction with a program that executes a script that uses the eval function. CVSS v2 BASE SCORE: 6.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1095 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2011-1658 CVE STATUS: Patched CVE SUMMARY: ld.so in the GNU C Library (aka glibc or libc6) 2.13 and earlier expands the $ORIGIN dynamic string token when RPATH is composed entirely of this token, which might allow local users to gain privileges by creating a hard link in an arbitrary directory to a (1) setuid or (2) setgid program with this RPATH value, and then executing the program with a crafted value for the LD_PRELOAD environment variable, a different vulnerability than CVE-2010-3847 and CVE-2011-0536. NOTE: it is not expected that any standard operating-system distribution would ship an applicable setuid or setgid program. CVSS v2 BASE SCORE: 3.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1658 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2011-1659 CVE STATUS: Patched CVE SUMMARY: Integer overflow in posix/fnmatch.c in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long UTF8 string that is used in an fnmatch call with a crafted pattern argument, a different vulnerability than CVE-2011-1071. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1659 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2011-2702 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in Glibc before 2.13 and eglibc before 2.13, when using Supplemental Streaming SIMD Extensions 3 (SSSE3) optimization, allows context-dependent attackers to execute arbitrary code via a negative length parameter to (1) memcpy-ssse3-rep.S, (2) memcpy-ssse3.S, or (3) memset-sse2.S in sysdeps/i386/i686/multiarch/, which triggers an out-of-bounds read, as demonstrated using the memcpy function. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2702 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2011-4609 CVE STATUS: Patched CVE SUMMARY: The svc_run function in the RPC implementation in glibc before 2.15 allows remote attackers to cause a denial of service (CPU consumption) via a large number of RPC connections. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4609 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2011-5320 CVE STATUS: Patched CVE SUMMARY: scanf and related functions in glibc before 2.15 allow local users to cause a denial of service (segmentation fault) via a large string of 0s. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-5320 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2012-0864 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the vfprintf function in stdio-common/vfprintf.c in glibc 2.14 and other versions allows context-dependent attackers to bypass the FORTIFY_SOURCE protection mechanism, conduct format string attacks, and write to arbitrary memory via a large number of arguments. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0864 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2012-3404 CVE STATUS: Patched CVE SUMMARY: The vfprintf function in stdio-common/vfprintf.c in libc in GNU C Library (aka glibc) 2.12 and other versions does not properly calculate a buffer length, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (stack corruption and crash) via a format string that uses positional parameters and many format specifiers. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3404 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2012-3405 CVE STATUS: Patched CVE SUMMARY: The vfprintf function in stdio-common/vfprintf.c in libc in GNU C Library (aka glibc) 2.14 and other versions does not properly calculate a buffer length, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (segmentation fault and crash) via a format string with a large number of format specifiers that triggers "desynchronization within the buffer size handling," a different vulnerability than CVE-2012-3404. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3405 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2012-3406 CVE STATUS: Patched CVE SUMMARY: The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not "properly restrict the use of" the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers, a different vulnerability than CVE-2012-3404 and CVE-2012-3405. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3406 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2012-3480 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the (1) strtod, (2) strtof, (3) strtold, (4) strtod_l, and other unspecified "related functions" in stdlib in GNU C Library (aka glibc or libc6) 2.16 allow local users to cause a denial of service (application crash) and possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3480 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2012-4412 CVE STATUS: Patched CVE SUMMARY: Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4412 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2012-4424 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string that triggers a malloc failure and use of the alloca function. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-4424 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2012-6656 CVE STATUS: Patched CVE SUMMARY: iconvdata/ibm930.c in GNU C Library (aka glibc) before 2.16 allows context-dependent attackers to cause a denial of service (out-of-bounds read) via a multibyte character value of "0xffff" to the iconv function when converting IBM930 encoded data to UTF-8. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6656 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2013-0242 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the extend_buffers function in the regular expression matcher (posix/regexec.c) in glibc, possibly 2.17 and earlier, allows context-dependent attackers to cause a denial of service (memory corruption and crash) via crafted multibyte characters. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0242 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2013-1914 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in GNU C Library (aka glibc or libc6) 2.17 and earlier allows remote attackers to cause a denial of service (crash) via a (1) hostname or (2) IP address that triggers a large number of domain conversion results. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1914 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2013-2207 CVE STATUS: Patched CVE SUMMARY: pt_chown in GNU C Library (aka glibc or libc6) before 2.18 does not properly check permissions for tty files, which allows local users to change the permission on the files and obtain access to arbitrary pseudo-terminals by leveraging a FUSE file system. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2207 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2013-4237 CVE STATUS: Patched CVE SUMMARY: sysdeps/posix/readdir_r.c in the GNU C Library (aka glibc or libc6) 2.18 and earlier allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a crafted (1) NTFS or (2) CIFS image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4237 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2013-4332 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in malloc/malloc.c in the GNU C Library (aka glibc or libc6) 2.18 and earlier allow context-dependent attackers to cause a denial of service (heap corruption) via a large value to the (1) pvalloc, (2) valloc, (3) posix_memalign, (4) memalign, or (5) aligned_alloc functions. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4332 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2013-4458 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in GNU C Library (aka glibc or libc6) 2.18 and earlier allows remote attackers to cause a denial of service (crash) via a (1) hostname or (2) IP address that triggers a large number of AF_INET6 address results. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1914. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4458 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2013-4788 CVE STATUS: Patched CVE SUMMARY: The PTR_MANGLE implementation in the GNU C Library (aka glibc or libc6) 2.4, 2.17, and earlier, and Embedded GLIBC (EGLIBC) does not initialize the random value for the pointer guard, which makes it easier for context-dependent attackers to control execution flow by leveraging a buffer-overflow vulnerability in an application and using the known zero value pointer guard to calculate a pointer address. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4788 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2013-7423 CVE STATUS: Patched CVE SUMMARY: The send_dg function in resolv/res_send.c in GNU C Library (aka glibc or libc6) before 2.20 does not properly reuse file descriptors, which allows remote attackers to send DNS queries to unintended locations via a large number of requests that trigger a call to the getaddrinfo function. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7423 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2013-7424 CVE STATUS: Patched CVE SUMMARY: The getaddrinfo function in glibc before 2.15, when compiled with libidn and the AI_IDN flag is used, allows context-dependent attackers to cause a denial of service (invalid free) and possibly execute arbitrary code via unspecified vectors, as demonstrated by an internationalized domain name to ping6. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7424 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2014-0475 CVE STATUS: Patched CVE SUMMARY: Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0475 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2014-4043 CVE STATUS: Patched CVE SUMMARY: The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4043 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2014-5119 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the __gconv_translit_find function in gconv_trans.c in GNU C Library (aka glibc) allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via vectors related to the CHARSET environment variable and gconv transliteration modules. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5119 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2014-6040 CVE STATUS: Patched CVE SUMMARY: GNU C Library (aka glibc) before 2.20 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via a multibyte character value of "0xffff" to the iconv function when converting (1) IBM933, (2) IBM935, (3) IBM937, (4) IBM939, or (5) IBM1364 encoded data to UTF-8. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-6040 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2014-7817 CVE STATUS: Patched CVE SUMMARY: The wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE_NOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing "$((`...`))". CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7817 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2014-8121 CVE STATUS: Patched CVE SUMMARY: DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up on a database while iterating over it, which triggers the file pointer to be reset. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8121 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2014-9402 CVE STATUS: Patched CVE SUMMARY: The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9402 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2014-9761 CVE STATUS: Patched CVE SUMMARY: Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6) before 2.23 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long argument to the (1) nan, (2) nanf, or (3) nanl function. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9761 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2014-9984 CVE STATUS: Patched CVE SUMMARY: nscd in the GNU C Library (aka glibc or libc6) before version 2.20 does not correctly compute the size of an internal buffer when processing netgroup requests, possibly leading to an nscd daemon crash or code execution as the user running nscd. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9984 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2015-0235 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0235 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2015-1472 CVE STATUS: Patched CVE SUMMARY: The ADDW macro in stdio-common/vfscanf.c in the GNU C Library (aka glibc or libc6) before 2.21 does not properly consider data-type size during memory allocation, which allows context-dependent attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long line containing wide characters that are improperly handled in a wscanf call. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1472 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2015-1473 CVE STATUS: Patched CVE SUMMARY: The ADDW macro in stdio-common/vfscanf.c in the GNU C Library (aka glibc or libc6) before 2.21 does not properly consider data-type size during a risk-management decision for use of the alloca function, which might allow context-dependent attackers to cause a denial of service (segmentation violation) or overwrite memory locations beyond the stack boundary via a long line containing wide characters that are improperly handled in a wscanf call. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1473 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2015-1781 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the gethostbyname_r and other unspecified NSS functions in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response, which triggers a call with a misaligned buffer. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1781 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2015-20109 CVE STATUS: Patched CVE SUMMARY: end_pattern (called from internal_fnmatch) in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash), as demonstrated by use of the fnmatch library function with the **(!() pattern. NOTE: this is not the same as CVE-2015-8984; also, some Linux distributions have fixed CVE-2015-8984 but have not fixed this additional fnmatch issue. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-20109 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2015-5180 CVE STATUS: Patched CVE SUMMARY: res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5180 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2015-5277 CVE STATUS: Patched CVE SUMMARY: The get_contents function in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) before 2.20 might allow local users to cause a denial of service (heap corruption) or gain privileges via a long line in the NSS files database. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5277 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2015-7547 CVE STATUS: Patched CVE SUMMARY: Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing "dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7547 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2015-8776 CVE STATUS: Patched CVE SUMMARY: The strftime function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly obtain sensitive information via an out-of-range time value. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8776 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2015-8777 CVE STATUS: Patched CVE SUMMARY: The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8777 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2015-8778 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via the size argument to the __hcreate_r function, which triggers out-of-bounds heap-memory access. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8778 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2015-8779 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the catopen function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long catalog name. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8779 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2015-8982 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the strxfrm function in the GNU C Library (aka glibc or libc6) before 2.21 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8982 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2015-8983 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to computing a size in bytes, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8983 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2015-8984 CVE STATUS: Patched CVE SUMMARY: The fnmatch function in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash) via a malformed pattern, which triggers an out-of-bounds read. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8984 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2015-8985 CVE STATUS: Patched CVE SUMMARY: The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to extended regular expression processing. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8985 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2016-10228 CVE STATUS: Patched CVE SUMMARY: The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10228 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2016-10739 CVE STATUS: Patched CVE SUMMARY: In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10739 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2016-1234 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the glob implementation in GNU C Library (aka glibc) before 2.24, when GLOB_ALTDIRFUNC is used, allows context-dependent attackers to cause a denial of service (crash) via a long name. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1234 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2016-3075 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the nss_dns implementation of the getnetbyname function in GNU C Library (aka glibc) before 2.24 allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a long name. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3075 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2016-3706 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in the GNU C Library (aka glibc or libc6) allows remote attackers to cause a denial of service (crash) via vectors involving hostent conversion. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4458. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3706 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2016-4429 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4429 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2016-5417 CVE STATUS: Patched CVE SUMMARY: Memory leak in the __res_vinit function in the IPv6 name server management code in libresolv in GNU C Library (aka glibc or libc6) before 2.24 allows remote attackers to cause a denial of service (memory consumption) by leveraging partial initialization of internal resolver data structures. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5417 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2016-6323 CVE STATUS: Patched CVE SUMMARY: The makecontext function in the GNU C Library (aka glibc or libc6) before 2.25 creates execution contexts incompatible with the unwinder on ARM EABI (32-bit) platforms, which might allow context-dependent attackers to cause a denial of service (hang), as demonstrated by applications compiled using gccgo, related to backtrace generation. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6323 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2017-1000366 CVE STATUS: Patched CVE SUMMARY: glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000366 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2017-1000408 CVE STATUS: Patched CVE SUMMARY: A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached and amplified through the LD_HWCAP_MASK environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000408 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2017-1000409 CVE STATUS: Patched CVE SUMMARY: A buffer overflow in glibc 2.5 (released on September 29, 2006) and can be triggered through the LD_LIBRARY_PATH environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000409 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2017-12132 CVE STATUS: Patched CVE SUMMARY: The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12132 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2017-12133 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) before 2.26 allows remote attackers to have unspecified impact via vectors related to error path. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12133 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2017-15670 CVE STATUS: Patched CVE SUMMARY: The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15670 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2017-15671 CVE STATUS: Patched CVE SUMMARY: The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15671 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2017-15804 CVE STATUS: Patched CVE SUMMARY: The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15804 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2017-16997 CVE STATUS: Patched CVE SUMMARY: elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16997 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2017-17426 CVE STATUS: Patched CVE SUMMARY: The malloc function in the GNU C Library (aka glibc or libc6) 2.26 could return a memory block that is too small if an attempt is made to allocate an object whose size is close to SIZE_MAX, potentially leading to a subsequent heap overflow. This occurs because the per-thread cache (aka tcache) feature enables a code path that lacks an integer overflow check. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17426 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2017-18269 CVE STATUS: Patched CVE SUMMARY: An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library (aka glibc or libc6) 2.21 through 2.27 does not correctly perform the overlapping memory check if the source memory range spans the middle of the address space, resulting in corrupt data being produced by the copy operation. This may disclose information to context-dependent attackers, or result in a denial of service, or, possibly, code execution. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18269 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2017-8804 CVE STATUS: Patched CVE SUMMARY: The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779. NOTE: [Information provided from upstream and references CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8804 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2018-1000001 CVE STATUS: Patched CVE SUMMARY: In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000001 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2018-11236 CVE STATUS: Patched CVE SUMMARY: stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11236 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2018-11237 CVE STATUS: Patched CVE SUMMARY: An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11237 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2018-19591 CVE STATUS: Patched CVE SUMMARY: In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19591 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2018-20796 CVE STATUS: Patched CVE SUMMARY: In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\\1\\1|t1|\\\2537)+' in grep. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20796 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2018-6485 CVE STATUS: Patched CVE SUMMARY: An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6485 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2018-6551 CVE STATUS: Patched CVE SUMMARY: The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6551 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2019-1010022 CVE STATUS: Ignored CVE DETAIL: disputed CVE DESCRIPTION: Upstream glibc maintainers dispute there is any issue and have no plans to address it further. this is being treated as a non-security bug and no real threat. CVE SUMMARY: GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010022 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2019-1010023 CVE STATUS: Ignored CVE DETAIL: disputed CVE DESCRIPTION: Upstream glibc maintainers dispute there is any issue and have no plans to address it further. this is being treated as a non-security bug and no real threat. CVE SUMMARY: GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010023 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2019-1010024 CVE STATUS: Ignored CVE DETAIL: disputed CVE DESCRIPTION: Upstream glibc maintainers dispute there is any issue and have no plans to address it further. this is being treated as a non-security bug and no real threat. CVE SUMMARY: GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010024 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2019-1010025 CVE STATUS: Ignored CVE DETAIL: disputed CVE DESCRIPTION: Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow easier access for another. 'ASLR bypass itself is not a vulnerability.' CVE SUMMARY: GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1010025 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2019-19126 CVE STATUS: Patched CVE SUMMARY: On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19126 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2019-25013 CVE STATUS: Patched CVE SUMMARY: The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-25013 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2019-6488 CVE STATUS: Patched CVE SUMMARY: The string component in the GNU C Library (aka glibc or libc6) through 2.28, when running on the x32 architecture, incorrectly attempts to use a 64-bit register for size_t in assembly codes, which can lead to a segmentation fault or possibly unspecified other impact, as demonstrated by a crash in __memmove_avx_unaligned_erms in sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6488 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2019-7309 CVE STATUS: Patched CVE SUMMARY: In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-7309 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2019-9169 CVE STATUS: Patched CVE SUMMARY: In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9169 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2019-9192 CVE STATUS: Patched CVE SUMMARY: In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\1\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9192 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2020-10029 CVE STATUS: Patched CVE SUMMARY: The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10029 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2020-1751 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 5.9 CVSS v3 BASE SCORE: 5.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1751 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2020-1752 CVE STATUS: Patched CVE SUMMARY: A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32. CVSS v2 BASE SCORE: 3.7 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1752 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2020-27618 CVE STATUS: Patched CVE SUMMARY: The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27618 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2020-29562 CVE STATUS: Patched CVE SUMMARY: The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29562 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2020-29573 CVE STATUS: Patched CVE SUMMARY: sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) before 2.23 on x86 targets has a stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern, as seen when passing a \x00\x04\x00\x00\x00\x00\x00\x00\x00\x04 value to sprintf. NOTE: the issue does not affect glibc by default in 2016 or later (i.e., 2.23 or later) because of commits made in 2015 for inlining of C99 math functions through use of GCC built-ins. In other words, the reference to 2.23 is intentional despite the mention of "Fixed for glibc 2.33" in the 26649 reference. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29573 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2020-6096 CVE STATUS: Patched CVE SUMMARY: An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-6096 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2021-27645 CVE STATUS: Patched CVE SUMMARY: The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 2.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-27645 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2021-3326 CVE STATUS: Patched CVE SUMMARY: The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3326 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2021-33574 CVE STATUS: Patched CVE SUMMARY: The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33574 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2021-35942 CVE STATUS: Patched CVE SUMMARY: The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-35942 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2021-38604 CVE STATUS: Patched CVE SUMMARY: In librt in the GNU C Library (aka glibc) through 2.34, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain NOTIFY_REMOVED data, leading to a NULL pointer dereference. NOTE: this vulnerability was introduced as a side effect of the CVE-2021-33574 fix. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38604 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2021-3998 CVE STATUS: Patched CVE SUMMARY: A flaw was found in glibc. The realpath() function can mistakenly return an unexpected value, potentially leading to information leakage and disclosure of sensitive data. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3998 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2021-3999 CVE STATUS: Patched CVE SUMMARY: A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3999 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2021-43396 CVE STATUS: Patched CVE SUMMARY: In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset. This may affect data integrity in certain iconv() use cases. NOTE: the vendor states "the bug cannot be invoked through user input and requires iconv to be invoked with a NULL inbuf, which ought to require a separate application bug to do so unintentionally. Hence there's no security impact to the bug. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-43396 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2022-23218 CVE STATUS: Patched CVE SUMMARY: The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23218 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2022-23219 CVE STATUS: Patched CVE SUMMARY: The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23219 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2022-39046 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the GNU C Library (glibc) 2.36. When the syslog function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-39046 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2023-0687 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in GNU C Library 2.38. It has been declared as critical. This vulnerability affects the function __monstartup of the file gmon.c of the component Call Graph Monitor. The manipulation leads to buffer overflow. It is recommended to apply a patch to fix this issue. VDB-220246 is the identifier assigned to this vulnerability. NOTE: The real existence of this vulnerability is still doubted at the moment. The inputs that induce this vulnerability are basically addresses of the running application that is built with gmon enabled. It's basically trusted input or input that needs an actual security flaw to be compromised or controlled. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 4.6 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:H/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0687 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2023-25139 CVE STATUS: Patched CVE SUMMARY: sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct buffer size. This is unrelated to CWE-676. It may write beyond the bounds of the destination buffer when attempting to write a padded, thousands-separated string representation of a number, if the buffer is allocated the exact size required to represent that number as a string. For example, 1,234,567 (with padding to 13) overflows by two bytes. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25139 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2023-4527 CVE STATUS: Patched CVE SUMMARY: A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data, and may cause a crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4527 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2023-4806 CVE STATUS: Patched CVE SUMMARY: A flaw has been identified in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4806 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2023-4813 CVE STATUS: Patched CVE SUMMARY: A flaw has been identified in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4813 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2023-4911 CVE STATUS: Patched CVE SUMMARY: A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4911 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2023-5156 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5156 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2023-6246 CVE STATUS: Patched CVE SUMMARY: A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6246 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2023-6779 CVE STATUS: Patched CVE SUMMARY: An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.2 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6779 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2023-6780 CVE STATUS: Patched CVE SUMMARY: An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6780 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2024-2961 CVE STATUS: Patched CVE DETAIL: cpe-stable-backport CVE DESCRIPTION: fix available in used git hash CVE SUMMARY: The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-2961 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2024-33599 CVE STATUS: Patched CVE DETAIL: cpe-stable-backport CVE DESCRIPTION: fix available in used git hash CVE SUMMARY: nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-33599 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2024-33600 CVE STATUS: Patched CVE DETAIL: cpe-stable-backport CVE DESCRIPTION: fix available in used git hash CVE SUMMARY: nscd: Null pointer crashes after notfound response If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-33600 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2024-33601 CVE STATUS: Patched CVE DETAIL: cpe-stable-backport CVE DESCRIPTION: fix available in used git hash CVE SUMMARY: nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-33601 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2024-33602 CVE STATUS: Patched CVE DETAIL: cpe-stable-backport CVE DESCRIPTION: fix available in used git hash CVE SUMMARY: nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-33602 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2025-0395 CVE STATUS: Patched CVE DETAIL: cpe-stable-backport CVE DESCRIPTION: fix available in used git hash CVE SUMMARY: When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-0395 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2025-15281 CVE STATUS: Patched CVE DETAIL: cpe-stable-backport CVE DESCRIPTION: fix available in used git hash CVE SUMMARY: Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-15281 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2025-4802 CVE STATUS: Patched CVE DETAIL: cpe-stable-backport CVE DESCRIPTION: fix available in used git hash CVE SUMMARY: Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-4802 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2025-5702 CVE STATUS: Patched CVE DETAIL: cpe-stable-backport CVE DESCRIPTION: fix available in used git hash CVE SUMMARY: The strcmp implementation optimized for the Power10 processor in the GNU C Library version 2.39 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-5702 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2025-5745 CVE STATUS: Patched CVE SUMMARY: The strncmp implementation optimized for the Power10 processor in the GNU C Library version 2.40 and later writes to vector registers v20 to v31 without saving contents from the caller (those registers are defined as non-volatile registers by the powerpc64le ABI), resulting in overwriting of its contents and potentially altering control flow of the caller, or leaking the input strings to the function to other parts of the program. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-5745 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2025-8058 CVE STATUS: Patched CVE DETAIL: cpe-stable-backport CVE DESCRIPTION: fix available in used git hash CVE SUMMARY: The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 5.9 VECTOR: LOCAL VECTORSTRING: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-8058 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2026-0861 CVE STATUS: Patched CVE DETAIL: cpe-stable-backport CVE DESCRIPTION: fix available in used git hash CVE SUMMARY: Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-0861 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2026-0915 CVE STATUS: Patched CVE DETAIL: cpe-stable-backport CVE DESCRIPTION: fix available in used git hash CVE SUMMARY: Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-0915 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2026-3904 CVE STATUS: Patched CVE SUMMARY: Calling NSS-backed functions that support caching via nscd may call the nscd client side code and in the GNU C Library version 2.36 under high load on x86_64 systems, the client may call memcmp on inputs that are concurrently modified by other processes or threads and crash. The nscd client in the GNU C Library uses the memcmp function with inputs that may be concurrently modified by another thread, potentially resulting in spurious cache misses, which in itself is not a security issue.  However in the GNU C Library version 2.36 an optimized implementation of memcmp was introduced for x86_64 which could crash when invoked with such undefined behaviour, turning this into a potential crash of the nscd client and the application that uses it. This implementation was backported to the 2.35 branch, making the nscd client in that branch vulnerable as well.  Subsequently, the fix for this issue was backported to all vulnerable branches in the GNU C Library repository. It is advised that distributions that may have cherry-picked the memcpy SSE2 optimization in their copy of the GNU C Library, also apply the fix to avoid the potential crash in the nscd client. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3904 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2026-4046 CVE STATUS: Unpatched CVE SUMMARY: The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-4046 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2026-4437 CVE STATUS: Unpatched CVE SUMMARY: Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-4437 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2026-4438 CVE STATUS: Unpatched CVE SUMMARY: Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.4 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-4438 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2026-5435 CVE STATUS: Unpatched CVE SUMMARY: The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5435 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2026-5450 CVE STATUS: Unpatched CVE SUMMARY: Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5450 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2026-5928 CVE STATUS: Unpatched CVE SUMMARY: Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5928 LAYER: meta PACKAGE NAME: glibc PACKAGE VERSION: 2.39+git CVE: CVE-2026-6238 CVE STATUS: Unpatched CVE SUMMARY: The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory. These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6238 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2004-0691 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0691 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2004-0692 CVE STATUS: Patched CVE SUMMARY: The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0692 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2004-0693 CVE STATUS: Patched CVE SUMMARY: The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0693 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2005-0627 CVE STATUS: Patched CVE SUMMARY: Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0627 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2006-4811 CVE STATUS: Patched CVE SUMMARY: Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4811 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2007-0242 CVE STATUS: Patched CVE SUMMARY: The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0242 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2007-3388 CVE STATUS: Patched CVE SUMMARY: Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3388 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2007-4137 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4137 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2009-2700 CVE STATUS: Patched CVE SUMMARY: src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2700 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2010-1766 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1766 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2010-2621 CVE STATUS: Patched CVE SUMMARY: The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2621 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2010-5076 CVE STATUS: Patched CVE SUMMARY: QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5076 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2011-3193 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2011-3194 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3194 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2012-5624 CVE STATUS: Patched CVE SUMMARY: The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5624 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2012-6093 CVE STATUS: Patched CVE SUMMARY: The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6093 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2013-0254 CVE STATUS: Patched CVE SUMMARY: The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0254 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2013-4549 CVE STATUS: Patched CVE SUMMARY: QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4549 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2014-0190 CVE STATUS: Patched CVE SUMMARY: The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0190 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-0295 CVE STATUS: Patched CVE SUMMARY: The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0295 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-1290 CVE STATUS: Patched CVE SUMMARY: The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1290 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-1858 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1858 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-1859 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1859 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-1860 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1860 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-7298 CVE STATUS: Patched CVE SUMMARY: ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7298 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-9541 CVE STATUS: Patched CVE SUMMARY: Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9541 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2017-10904 CVE STATUS: Patched CVE SUMMARY: Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10904 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2017-10905 CVE STATUS: Patched CVE SUMMARY: A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10905 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2017-15011 CVE STATUS: Patched CVE SUMMARY: The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15011 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-15518 CVE STATUS: Patched CVE SUMMARY: QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15518 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19865 CVE STATUS: Patched CVE SUMMARY: A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19865 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19869 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19869 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19870 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19870 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19871 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19871 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19872 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19872 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19873 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19873 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-21035 CVE STATUS: Patched CVE SUMMARY: In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21035 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-0569 CVE STATUS: Patched CVE SUMMARY: Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 5.7 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0569 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-0570 CVE STATUS: Patched CVE SUMMARY: Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0570 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-12267 CVE STATUS: Patched CVE SUMMARY: setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12267 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-13962 CVE STATUS: Patched CVE SUMMARY: Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.) CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13962 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-17507 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17507 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-24742 CVE STATUS: Patched CVE SUMMARY: An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24742 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2021-28025 CVE STATUS: Patched CVE SUMMARY: Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28025 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2021-3481 CVE STATUS: Patched CVE SUMMARY: A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3481 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2021-38593 CVE STATUS: Patched CVE SUMMARY: Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38593 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2021-45930 CVE STATUS: Patched CVE SUMMARY: Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an out-of-bounds write in QtPrivate::QCommonArrayOps::growAppend (called from QPainterPath::addPath and QPathClipper::intersect). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45930 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2022-25255 CVE STATUS: Patched CVE SUMMARY: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25255 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2022-25634 CVE STATUS: Patched CVE SUMMARY: Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25634 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2022-40983 CVE STATUS: Patched CVE SUMMARY: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40983 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2022-43591 CVE STATUS: Patched CVE SUMMARY: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43591 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-24607 CVE STATUS: Patched CVE SUMMARY: Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24607 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32573 CVE STATUS: Patched CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32573 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32762 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32762 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32763 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32763 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-33285 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33285 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-34410 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34410 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-37369 CVE STATUS: Unpatched CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37369 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-38197 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38197 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-43114 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43114 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-51714 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51714 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-25580 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-25580 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-30161 CVE STATUS: Patched CVE SUMMARY: In Qt 6.5.4, 6.5.5, and 6.6.2, QNetworkReply header data might be accessed via a dangling pointer in Qt for WebAssembly (wasm). (Earlier and later versions are unaffected.) CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-30161 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-36048 CVE STATUS: Unpatched CVE SUMMARY: QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36048 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-39936 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed.. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39936 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2025-30348 CVE STATUS: Unpatched CVE SUMMARY: encodeText in QDom in Qt before 6.8.0 has a complex algorithm involving XML string copy and inline replacement of parts of a string (with relocation of later data). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-30348 LAYER: meta-qt5 PACKAGE NAME: qtsvg PACKAGE VERSION: 5.15.13+git CVE: CVE-2025-5683 CVE STATUS: Patched CVE SUMMARY: When loading a specifically crafted ICNS format image file in QImage then it will trigger a crash. This issue affects Qt from versions 6.3.0 through 6.5.9, from 6.6.0 through 6.8.4, 6.9.0. This is fixed in 6.5.10, 6.8.5 and 6.9.1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 5.1 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-5683 LAYER: meta PACKAGE NAME: shadow PACKAGE VERSION: 4.14.2 CVE: CVE-2004-1001 CVE STATUS: Patched CVE SUMMARY: Unknown vulnerability in the passwd_check function in Shadow 4.0.4.1, and possibly other versions before 4.0.5, allows local users to conduct unauthorized activities when an error from a pam_chauthtok function call is not properly handled. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1001 LAYER: meta PACKAGE NAME: shadow PACKAGE VERSION: 4.14.2 CVE: CVE-2005-4890 CVE STATUS: Patched CVE SUMMARY: There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4890 LAYER: meta PACKAGE NAME: shadow PACKAGE VERSION: 4.14.2 CVE: CVE-2006-1174 CVE STATUS: Patched CVE SUMMARY: useradd in shadow-utils before 4.0.3, and possibly other versions before 4.0.8, does not provide a required argument to the open function when creating a new user mailbox, which causes the mailbox to be created with unpredictable permissions and possibly allows attackers to read or modify the mailbox. CVSS v2 BASE SCORE: 3.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1174 LAYER: meta PACKAGE NAME: shadow PACKAGE VERSION: 4.14.2 CVE: CVE-2006-1844 CVE STATUS: Patched CVE SUMMARY: The Debian installer for the (1) shadow 4.0.14 and (2) base-config 2.53.10 packages includes sensitive information in world-readable log files, including preseeded passwords and pppoeconf passwords, which might allow local users to gain privileges. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1844 LAYER: meta PACKAGE NAME: shadow PACKAGE VERSION: 4.14.2 CVE: CVE-2008-5394 CVE STATUS: Patched CVE SUMMARY: /bin/login in shadow 4.0.18.1 in Debian GNU/Linux, and probably other Linux distributions, allows local users in the utmp group to overwrite arbitrary files via a symlink attack on a temporary file referenced in a line (aka ut_line) field in a utmp entry. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5394 LAYER: meta PACKAGE NAME: shadow PACKAGE VERSION: 4.14.2 CVE: CVE-2011-0721 CVE STATUS: Patched CVE SUMMARY: Multiple CRLF injection vulnerabilities in (1) chfn and (2) chsh in shadow 1:4.1.4 allow local users to add new users or groups to /etc/passwd via the GECOS field. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0721 LAYER: meta PACKAGE NAME: shadow PACKAGE VERSION: 4.14.2 CVE: CVE-2013-4235 CVE STATUS: Ignored CVE DETAIL: upstream-wontfix CVE DESCRIPTION: Severity is low and marked as closed and won't fix. CVE SUMMARY: shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4235 LAYER: meta PACKAGE NAME: shadow PACKAGE VERSION: 4.14.2 CVE: CVE-2016-6252 CVE STATUS: Patched CVE SUMMARY: Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6252 LAYER: meta PACKAGE NAME: shadow PACKAGE VERSION: 4.14.2 CVE: CVE-2017-12424 CVE STATUS: Patched CVE SUMMARY: In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12424 LAYER: meta PACKAGE NAME: shadow PACKAGE VERSION: 4.14.2 CVE: CVE-2017-20002 CVE STATUS: Patched CVE SUMMARY: The Debian shadow package before 1:4.5-1 for Shadow incorrectly lists pts/0 and pts/1 as physical terminals in /etc/securetty. This allows local users to login as password-less users even if they are connected by non-physical means such as SSH (hence bypassing PAM's nullok_secure configuration). This notably affects environments such as virtual machines automatically generated with a default blank root password, allowing all local users to escalate privileges. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-20002 LAYER: meta PACKAGE NAME: shadow PACKAGE VERSION: 4.14.2 CVE: CVE-2018-16588 CVE STATUS: Patched CVE SUMMARY: Privilege escalation can occur in the SUSE useradd.c code in useradd, as distributed in the SUSE shadow package through 4.2.1-27.9.1 for SUSE Linux Enterprise 12 (SLE-12) and through 4.5-5.39 for SUSE Linux Enterprise 15 (SLE-15). Non-existing intermediate directories are created with mode 0777 during user creation. Given that they are world-writable, local attackers might use this for privilege escalation and other unspecified attacks. NOTE: this would affect non-SUSE users who took useradd.c code from a 2014-04-02 upstream pull request; however, no non-SUSE distribution is known to be affected. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16588 LAYER: meta PACKAGE NAME: shadow PACKAGE VERSION: 4.14.2 CVE: CVE-2018-7169 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7169 LAYER: meta PACKAGE NAME: shadow PACKAGE VERSION: 4.14.2 CVE: CVE-2019-16110 CVE STATUS: Patched CVE SUMMARY: The network protocol of Blade Shadow though 2.13.3 allows remote attackers to take control of a Shadow instance and execute arbitrary code by only knowing the victim's IP address, because packet data can be injected into the unencrypted UDP packet stream. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16110 LAYER: meta PACKAGE NAME: shadow PACKAGE VERSION: 4.14.2 CVE: CVE-2019-19882 CVE STATUS: Patched CVE SUMMARY: shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8). CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19882 LAYER: meta PACKAGE NAME: shadow PACKAGE VERSION: 4.14.2 CVE: CVE-2023-29383 CVE STATUS: Patched CVE SUMMARY: In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29383 LAYER: meta PACKAGE NAME: libtheora PACKAGE VERSION: 1.1.1 CVE: CVE-2024-56431 CVE STATUS: Unpatched CVE SUMMARY: oc_huff_tree_unpack in huffdec.c in libtheora in Theora through 1.0 7180717 has an invalid negative left shift. NOTE: this is disputed by third parties because there is no evidence of a security impact, e.g., an application would not crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-56431 LAYER: meta PACKAGE NAME: libtheora PACKAGE VERSION: 1.1.1 CVE: CVE-2026-5673 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libtheora. This heap-based out-of-bounds read vulnerability exists within the AVI (Audio Video Interleave) parser, specifically in the avi_parse_input_file() function. A local attacker could exploit this by tricking a user into opening a specially crafted AVI file containing a truncated header sub-chunk. This could lead to a denial-of-service (application crash) or potentially leak sensitive information from the heap. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5673 LAYER: meta PACKAGE NAME: pixman PACKAGE VERSION: 1_0.42.2 CVE: CVE-2013-6424 CVE STATUS: Patched CVE SUMMARY: Integer underflow in the xTrapezoidValid macro in render/picture.h in X.Org allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6424 LAYER: meta PACKAGE NAME: pixman PACKAGE VERSION: 1_0.42.2 CVE: CVE-2013-6425 CVE STATUS: Patched CVE SUMMARY: Integer underflow in the pixman_trapezoid_valid macro in pixman.h in Pixman before 0.32.0, as used in X.Org server and cairo, allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6425 LAYER: meta PACKAGE NAME: pixman PACKAGE VERSION: 1_0.42.2 CVE: CVE-2014-9766 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the create_bits function in pixman-bits-image.c in Pixman before 0.32.6 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via large height and stride values. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9766 LAYER: meta PACKAGE NAME: pixman PACKAGE VERSION: 1_0.42.2 CVE: CVE-2015-5297 CVE STATUS: Patched CVE SUMMARY: An integer overflow issue has been reported in the general_composite_rect() function in pixman prior to version 0.32.8. An attacker could exploit this issue to cause an application using pixman to crash or, potentially, execute arbitrary code. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5297 LAYER: meta PACKAGE NAME: pixman PACKAGE VERSION: 1_0.42.2 CVE: CVE-2022-44638 CVE STATUS: Patched CVE SUMMARY: In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-44638 LAYER: meta PACKAGE NAME: pixman PACKAGE VERSION: 1_0.42.2 CVE: CVE-2023-37769 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: stress-test is an uninstalled test CVE SUMMARY: stress-test master commit e4c878 was discovered to contain a FPE vulnerability via the component combine_inner at /pixman-combine-float.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37769 LAYER: meta PACKAGE NAME: harfbuzz PACKAGE VERSION: 8.3.0 CVE: CVE-2015-8947 CVE STATUS: Patched CVE SUMMARY: hb-ot-layout-gpos-table.hh in HarfBuzz before 1.0.5 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted data, a different vulnerability than CVE-2016-2052. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 7.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8947 LAYER: meta PACKAGE NAME: harfbuzz PACKAGE VERSION: 8.3.0 CVE: CVE-2015-9274 CVE STATUS: Patched CVE SUMMARY: HarfBuzz before 1.0.4 allows remote attackers to cause a denial of service (invalid read of two bytes and application crash) because of GPOS and GSUB table mishandling, related to hb-ot-layout-gpos-table.hh, hb-ot-layout-gsub-table.hh, and hb-ot-layout-gsubgpos-private.hh. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9274 LAYER: meta PACKAGE NAME: harfbuzz PACKAGE VERSION: 8.3.0 CVE: CVE-2016-2052 CVE STATUS: Patched CVE SUMMARY: Multiple unspecified vulnerabilities in HarfBuzz before 1.0.6, as used in Google Chrome before 48.0.2564.82, allow attackers to cause a denial of service or possibly have other impact via crafted data, as demonstrated by a buffer over-read resulting from an inverted length check in hb-ot-font.cc, a different issue than CVE-2015-8947. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2052 LAYER: meta PACKAGE NAME: harfbuzz PACKAGE VERSION: 8.3.0 CVE: CVE-2021-45931 CVE STATUS: Patched CVE SUMMARY: HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertible_t::set (called from hb_sparseset_t::set and hb_set_copy). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45931 LAYER: meta PACKAGE NAME: harfbuzz PACKAGE VERSION: 8.3.0 CVE: CVE-2022-33068 CVE STATUS: Patched CVE SUMMARY: An integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzz v4.3.0 allows attackers to cause a Denial of Service (DoS) via unspecified vectors. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33068 LAYER: meta PACKAGE NAME: harfbuzz PACKAGE VERSION: 8.3.0 CVE: CVE-2023-25193 CVE STATUS: Patched CVE SUMMARY: hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25193 LAYER: meta PACKAGE NAME: harfbuzz PACKAGE VERSION: 8.3.0 CVE: CVE-2026-22693 CVE STATUS: Unpatched CVE SUMMARY: HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-22693 LAYER: meta-oe PACKAGE NAME: udisks2 PACKAGE VERSION: 2.10.2 CVE: CVE-2010-1149 CVE STATUS: Patched CVE SUMMARY: probers/udisks-dm-export.c in udisks before 1.0.1 exports UDISKS_DM_TARGETS_PARAMS information to udev even for a crypt UDISKS_DM_TARGETS_TYPE, which allows local users to discover encryption keys by (1) running a certain udevadm command or (2) reading a certain file under /dev/.udev/db/. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1149 LAYER: meta-oe PACKAGE NAME: udisks2 PACKAGE VERSION: 2.10.2 CVE: CVE-2010-4661 CVE STATUS: Patched CVE SUMMARY: udisks before 1.0.3 allows a local user to load arbitrary Linux kernel modules. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4661 LAYER: meta-oe PACKAGE NAME: udisks2 PACKAGE VERSION: 2.10.2 CVE: CVE-2014-0004 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in udisks before 1.0.5 and 2.x before 2.1.3 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long mount point. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0004 LAYER: meta-oe PACKAGE NAME: udisks2 PACKAGE VERSION: 2.10.2 CVE: CVE-2018-17336 CVE STATUS: Patched CVE SUMMARY: UDisks 2.8.0 has a format string vulnerability in udisks_log in udiskslogging.c, allowing attackers to obtain sensitive information (stack contents), cause a denial of service (memory corruption), or possibly have unspecified other impact via a malformed filesystem label, as demonstrated by %d or %n substrings. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17336 LAYER: meta-oe PACKAGE NAME: udisks2 PACKAGE VERSION: 2.10.2 CVE: CVE-2021-3802 CVE STATUS: Patched CVE SUMMARY: A vulnerability found in udisks2. This flaw allows an attacker to input a specially crafted image file/USB leading to kernel panic. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 6.3 CVSS v3 BASE SCORE: 4.2 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3802 LAYER: meta-oe PACKAGE NAME: udisks2 PACKAGE VERSION: 2.10.2 CVE: CVE-2026-26103 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite encryption metadata on block devices. This can permanently invalidate encryption keys and render encrypted volumes inaccessible. Successful exploitation results in a denial-of-service condition through irreversible data loss. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-26103 LAYER: meta-oe PACKAGE NAME: udisks2 PACKAGE VERSION: 2.10.2 CVE: CVE-2026-26104 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the udisks storage management daemon that allows unprivileged users to back up LUKS encryption headers without authorization. The issue occurs because a privileged D-Bus method responsible for exporting encryption metadata does not perform a policy check. As a result, sensitive cryptographic metadata can be read and written to attacker-controlled locations. This weakens the confidentiality guarantees of encrypted storage volumes. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-26104 LAYER: meta PACKAGE NAME: grep PACKAGE VERSION: 3.11 CVE: CVE-2012-5667 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in GNU Grep before 2.11 might allow context-dependent attackers to execute arbitrary code via vectors involving a long input line that triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5667 LAYER: meta PACKAGE NAME: grep PACKAGE VERSION: 3.11 CVE: CVE-2015-1345 CVE STATUS: Patched CVE SUMMARY: The bmexec_trans function in kwset.c in grep 2.19 through 2.21 allows local users to cause a denial of service (out-of-bounds heap read and crash) via crafted input when using the -F option. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1345 LAYER: meta PACKAGE NAME: json-c PACKAGE VERSION: 0.17 CVE: CVE-2013-6370 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the printbuf APIs in json-c before 0.12 allows remote attackers to cause a denial of service via unspecified vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6370 LAYER: meta PACKAGE NAME: json-c PACKAGE VERSION: 0.17 CVE: CVE-2013-6371 CVE STATUS: Patched CVE SUMMARY: The hash functionality in json-c before 0.12 allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted JSON data, involving collisions. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6371 LAYER: meta PACKAGE NAME: json-c PACKAGE VERSION: 0.17 CVE: CVE-2020-12762 CVE STATUS: Patched CVE SUMMARY: json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12762 LAYER: meta PACKAGE NAME: json-c PACKAGE VERSION: 0.17 CVE: CVE-2021-32292 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in json-c from 20200420 (post 0.14 unreleased code) through 0.15-20200726. A stack-buffer-overflow exists in the auxiliary sample program json_parse which is located in the function parseit. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-32292 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2005-2547 CVE STATUS: Patched CVE SUMMARY: security.c in hcid for BlueZ 2.16, 2.17, and 2.18 allows remote attackers to execute arbitrary commands via shell metacharacters in the Bluetooth device name when invoking the PIN helper. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2547 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2006-6899 CVE STATUS: Patched CVE SUMMARY: hidd in BlueZ (bluez-utils) before 2.25 allows remote attackers to obtain control of the (1) Mouse and (2) Keyboard Human Interface Device (HID) via a certain configuration of two HID (PSM) endpoints, operating as a server, aka HidAttack. CVSS v2 BASE SCORE: 5.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6899 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2016-7837 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in BlueZ 5.41 and earlier allows an attacker to execute arbitrary code via the parse_line function used in some userland utilities. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7837 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2016-9797 CVE STATUS: Patched CVE SUMMARY: In BlueZ 5.42, a buffer over-read was observed in "l2cap_dump" function in "tools/parser/l2cap.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9797 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2016-9798 CVE STATUS: Patched CVE SUMMARY: In BlueZ 5.42, a use-after-free was identified in "conf_opt" function in "tools/parser/l2cap.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9798 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2016-9799 CVE STATUS: Patched CVE SUMMARY: In BlueZ 5.42, a buffer overflow was observed in "pklg_read_hci" function in "btsnoop.c" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9799 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2016-9800 CVE STATUS: Patched CVE SUMMARY: In BlueZ 5.42, a buffer overflow was observed in "pin_code_reply_dump" function in "tools/parser/hci.c" source file. The issue exists because "pin" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame "pin_code_reply_cp *cp" parameter. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9800 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2016-9801 CVE STATUS: Patched CVE SUMMARY: In BlueZ 5.42, a buffer overflow was observed in "set_ext_ctrl" function in "tools/parser/l2cap.c" source file when processing corrupted dump file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9801 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2016-9802 CVE STATUS: Patched CVE SUMMARY: In BlueZ 5.42, a buffer over-read was identified in "l2cap_packet" function in "monitor/packet.c" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9802 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2016-9803 CVE STATUS: Patched CVE SUMMARY: In BlueZ 5.42, an out-of-bounds read was observed in "le_meta_ev_dump" function in "tools/parser/hci.c" source file. This issue exists because 'subevent' (which is used to read correct element from 'ev_le_meta_str' array) is overflowed. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9803 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2016-9804 CVE STATUS: Patched CVE SUMMARY: In BlueZ 5.42, a buffer overflow was observed in "commands_dump" function in "tools/parser/csr.c" source file. The issue exists because "commands" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame "frm->ptr" parameter. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9804 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2016-9917 CVE STATUS: Patched CVE SUMMARY: In BlueZ 5.42, a buffer overflow was observed in "read_n" function in "tools/hcidump.c" source file. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9917 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2016-9918 CVE STATUS: Patched CVE SUMMARY: In BlueZ 5.42, an out-of-bounds read was identified in "packet_hexdump" function in "monitor/packet.c" source file. This issue can be triggered by processing a corrupted dump file and will result in btmon crash. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9918 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2017-1000250 CVE STATUS: Patched CVE SUMMARY: All versions of the SDP server in BlueZ 5.46 and earlier are vulnerable to an information disclosure vulnerability which allows remote attackers to obtain sensitive information from the bluetoothd process memory. This vulnerability lies in the processing of SDP search attribute requests. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000250 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2018-10910 CVE STATUS: Patched CVE SUMMARY: A bug in Bluez may allow for the Bluetooth Discoverable state being set to on when no Bluetooth agent is registered with the system. This situation could lead to the unauthorized pairing of certain Bluetooth devices without any form of authentication. Versions before bluez 5.51 are vulnerable. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10910 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2019-8921 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in bluetoothd in BlueZ through 5.48. The vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data. The root cause can be found in the function service_attr_req of sdpd-request.c. The server does not check whether the CSTATE data is the same in consecutive requests, and instead simply trusts that it is the same. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8921 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2019-8922 CVE STATUS: Patched CVE SUMMARY: A heap-based buffer overflow was discovered in bluetoothd in BlueZ through 5.48. There isn't any check on whether there is enough space in the destination buffer. The function simply appends all data passed to it. The values of all attributes that are requested are appended to the output buffer. There are no size checks whatsoever, resulting in a simple heap overflow if one can craft a request where the response is large enough to overflow the preallocated buffer. This issue exists in service_attr_req gets called by process_request (in sdpd-request.c), which also allocates the response buffer. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8922 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2020-0556 CVE STATUS: Patched CVE SUMMARY: Improper access control in subsystem for BlueZ before version 5.54 may allow an unauthenticated user to potentially enable escalation of privilege and denial of service via adjacent access CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0556 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2020-24490 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: This issue has kernel fixes rather than bluez fixes CVE SUMMARY: Improper buffer restrictions in BlueZ may allow an unauthenticated user to potentially enable denial of service via adjacent access. This affects all Linux kernel versions that support BlueZ. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24490 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2020-27153 CVE STATUS: Patched CVE SUMMARY: In BlueZ before 5.55, a double free was found in the gatttool disconnect_cb() routine from shared/att.c. A remote attacker could potentially cause a denial of service or code execution, during service discovery, due to a redundant disconnect MGMT event. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27153 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2021-0129 CVE STATUS: Patched CVE SUMMARY: Improper access control in BlueZ may allow an authenticated user to potentially enable information disclosure via adjacent access. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 5.7 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-0129 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2021-3588 CVE STATUS: Patched CVE SUMMARY: The cli_feat_read_cb() function in src/gatt-database.c does not perform bounds checks on the 'offset' variable before using it as an index into an array for reading. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3588 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2021-3658 CVE STATUS: Patched CVE SUMMARY: bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. If a device is powered down while discoverable, it will be discoverable when powered on again. This could lead to inadvertent exposure of the bluetooth stack to physically nearby attackers. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3658 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2021-41229 CVE STATUS: Patched CVE SUMMARY: BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-41229 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2021-43400 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client disconnects during D-Bus processing of a WriteValue call. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-43400 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2022-0204 CVE STATUS: Patched CVE SUMMARY: A heap overflow vulnerability was found in bluez in versions prior to 5.63. An attacker with local network access could pass specially crafted files causing an application to halt or crash, leading to a denial of service. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0204 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2022-3563 CVE STATUS: Patched CVE SUMMARY: A vulnerability classified as problematic has been found in Linux Kernel. Affected is the function read_50_controller_cap_complete of the file tools/mgmt-tester.c of the component BlueZ. The manipulation of the argument cap_len leads to null pointer dereference. It is recommended to apply a patch to fix this issue. VDB-211086 is the identifier assigned to this vulnerability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.5 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3563 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2022-3637 CVE STATUS: Patched CVE SUMMARY: A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function jlink_init of the file monitor/jlink.c of the component BlueZ. The manipulation leads to denial of service. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211936. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 2.6 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3637 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2022-39176 CVE STATUS: Patched CVE SUMMARY: BlueZ before 5.59 allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-39176 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2022-39177 CVE STATUS: Patched CVE SUMMARY: BlueZ before 5.59 allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-39177 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2023-27349 CVE STATUS: Patched CVE SUMMARY: BlueZ Audio Profile AVRCP Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device. The specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19908. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-27349 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2023-44431 CVE STATUS: Patched CVE SUMMARY: BlueZ Audio Profile AVRCP Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device. The specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-19909. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-44431 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2023-50229 CVE STATUS: Patched CVE SUMMARY: BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device. The specific flaw exists within the handling of the Phone Book Access profile. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20936. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-50229 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2023-50230 CVE STATUS: Patched CVE SUMMARY: BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device. The specific flaw exists within the handling of the Phone Book Access profile. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20938. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-50230 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2023-51580 CVE STATUS: Patched CVE SUMMARY: BlueZ Audio Profile AVRCP avrcp_parse_attribute_list Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device. The specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20852. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.4 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51580 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2023-51589 CVE STATUS: Patched CVE SUMMARY: BlueZ Audio Profile AVRCP parse_media_element Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device. The specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20853. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.4 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51589 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2023-51592 CVE STATUS: Patched CVE SUMMARY: BlueZ Audio Profile AVRCP parse_media_folder Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device. The specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20854. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.4 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51592 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2023-51594 CVE STATUS: Patched CVE SUMMARY: BlueZ OBEX Library Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device. The specific flaw exists within the handling of OBEX protocol parameters. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20937. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 2.6 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51594 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2023-51596 CVE STATUS: Patched CVE SUMMARY: BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device. The specific flaw exists within the handling of the Phone Book Access profile. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20939. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51596 LAYER: meta PACKAGE NAME: bluez5 PACKAGE VERSION: 5.72 CVE: CVE-2024-8805 CVE STATUS: Patched CVE SUMMARY: BlueZ HID over GATT Profile Improper Access Control Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the HID over GATT Profile. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25177. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-8805 LAYER: meta PACKAGE NAME: libxres PACKAGE VERSION: 1_1.2.2 CVE: CVE-2013-1988 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in X.org libXRes 1.0.6 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XResQueryClients and (2) XResQueryClientResources functions. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1988 LAYER: meta PACKAGE NAME: libxext PACKAGE VERSION: 1_1.3.6 CVE: CVE-2013-1982 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in X.org libXext 1.3.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XcupGetReservedColormapEntries, (2) XcupStoreColors, (3) XdbeGetVisualInfo, (4) XeviGetVisualInfo, (5) XShapeGetRectangles, and (6) XSyncListSystemCounters functions. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1982 LAYER: meta PACKAGE NAME: xinit PACKAGE VERSION: 1_1.4.2 CVE: CVE-2006-4447 CVE STATUS: Patched CVE SUMMARY: X.Org and XFree86, including libX11, xdm, xf86dga, xinit, xload, xtrans, and xterm, does not check the return values for setuid and seteuid calls when attempting to drop privileges, which might allow local users to gain privileges by causing those calls to fail, such as by exceeding a ulimit. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4447 LAYER: meta-oe PACKAGE NAME: yaml-cpp PACKAGE VERSION: 0.8.0 CVE: CVE-2017-11692 CVE STATUS: Patched CVE SUMMARY: The function "Token& Scanner::peek" in scanner.cpp in yaml-cpp 0.5.3 and earlier allows remote attackers to cause a denial of service (assertion failure and application exit) via a '!2' string. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11692 LAYER: meta-oe PACKAGE NAME: yaml-cpp PACKAGE VERSION: 0.8.0 CVE: CVE-2017-5950 CVE STATUS: Patched CVE SUMMARY: The SingleDocParser::HandleNode function in yaml-cpp (aka LibYaml-C++) 0.5.3 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted YAML file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5950 LAYER: meta-oe PACKAGE NAME: yaml-cpp PACKAGE VERSION: 0.8.0 CVE: CVE-2018-20573 CVE STATUS: Patched CVE SUMMARY: The Scanner::EnsureTokensInQueue function in yaml-cpp (aka LibYaml-C++) 0.6.2 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted YAML file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20573 LAYER: meta-oe PACKAGE NAME: yaml-cpp PACKAGE VERSION: 0.8.0 CVE: CVE-2018-20574 CVE STATUS: Patched CVE SUMMARY: The SingleDocParser::HandleFlowMap function in yaml-cpp (aka LibYaml-C++) 0.6.2 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted YAML file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20574 LAYER: meta-oe PACKAGE NAME: yaml-cpp PACKAGE VERSION: 0.8.0 CVE: CVE-2019-6285 CVE STATUS: Patched CVE SUMMARY: The SingleDocParser::HandleFlowSequence function in yaml-cpp (aka LibYaml-C++) 0.6.2 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted YAML file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6285 LAYER: meta-oe PACKAGE NAME: yaml-cpp PACKAGE VERSION: 0.8.0 CVE: CVE-2019-6292 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in singledocparser.cpp in yaml-cpp (aka LibYaml-C++) 0.6.2. Stack Exhaustion occurs in YAML::SingleDocParser, and there is a stack consumption problem caused by recursive stack frames: HandleCompactMap, HandleMap, HandleFlowSequence, HandleSequence, HandleNode. Remote attackers could leverage this vulnerability to cause a denial-of-service via a cpp file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6292 LAYER: meta PACKAGE NAME: libxxf86vm PACKAGE VERSION: 1_1.1.5 CVE: CVE-2013-2001 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in X.org libXxf86vm 1.1.2 and earlier allows X servers to cause a denial of service (crash) and possibly execute arbitrary code via crafted length or index values to the XF86VidModeGetGammaRamp function. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2001 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2014-2896 CVE STATUS: Patched CVE SUMMARY: The DoAlert function in the (1) TLS and (2) DTLS implementations in wolfSSL CyaSSL before 2.9.4 allows remote attackers to have unspecified impact and vectors, which trigger memory corruption or an out-of-bounds read. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2896 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2014-2897 CVE STATUS: Patched CVE SUMMARY: The SSL 3 HMAC functionality in wolfSSL CyaSSL 2.5.0 before 2.9.4 does not check the padding length when verification fails, which allows remote attackers to have unspecified impact via a crafted HMAC, which triggers an out-of-bounds read. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2897 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2014-2898 CVE STATUS: Patched CVE SUMMARY: wolfSSL CyaSSL before 2.9.4 allows remote attackers to have unspecified impact via multiple calls to the CyaSSL_read function which triggers an out-of-bounds read when an error occurs, related to not checking the return code and MAC verification failure. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2898 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2014-2901 CVE STATUS: Patched CVE SUMMARY: wolfssl before 3.2.0 does not properly issue certificates for a server's hostname. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2901 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2014-2902 CVE STATUS: Patched CVE SUMMARY: wolfssl before 3.2.0 does not properly authorize CA certificate for signing other certificates. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2902 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2014-2903 CVE STATUS: Patched CVE SUMMARY: CyaSSL does not check the key usage extension in leaf certificates, which allows remote attackers to spoof servers via a crafted server certificate not authorized for use in an SSL/TLS handshake. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2903 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2014-2904 CVE STATUS: Patched CVE SUMMARY: wolfssl before 3.2.0 has a server certificate that is not properly authorized for server authentication. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2904 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2015-6925 CVE STATUS: Patched CVE SUMMARY: wolfSSL (formerly CyaSSL) before 3.6.8 allows remote attackers to cause a denial of service (resource consumption or traffic amplification) via a crafted DTLS cookie in a ClientHello message. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6925 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2015-7744 CVE STATUS: Patched CVE SUMMARY: wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem (CRT) process when allowing ephemeral key exchange without low memory optimizations on a server, which makes it easier for remote attackers to obtain private RSA keys by capturing TLS handshakes, aka a Lenstra attack. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7744 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2016-7438 CVE STATUS: Patched CVE SUMMARY: The C software implementation of ECC in wolfSSL (formerly CyaSSL) before 3.9.10 makes it easier for local users to discover RSA keys by leveraging cache-bank hit differences. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7438 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2016-7439 CVE STATUS: Patched CVE SUMMARY: The C software implementation of RSA in wolfSSL (formerly CyaSSL) before 3.9.10 makes it easier for local users to discover RSA keys by leveraging cache-bank hit differences. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7439 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2016-7440 CVE STATUS: Patched CVE SUMMARY: The C software implementation of AES Encryption and Decryption in wolfSSL (formerly CyaSSL) before 3.9.10 makes it easier for local users to discover AES keys by leveraging cache-bank timing differences. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7440 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2017-13099 CVE STATUS: Patched CVE SUMMARY: wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable wolfSSL application. This vulnerability is referred to as "ROBOT." CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13099 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2017-2800 CVE STATUS: Patched CVE SUMMARY: A specially crafted x509 certificate can cause a single out of bounds byte overwrite in wolfSSL through 3.10.2 resulting in potential certificate validation vulnerabilities, denial of service and possible remote code execution. In order to trigger this vulnerability, the attacker needs to supply a malicious x509 certificate to either a server or a client application using this library. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2800 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2017-6076 CVE STATUS: Patched CVE SUMMARY: In versions of wolfSSL before 3.10.2 the function fp_mul_comba makes it easier to extract RSA key information for a malicious user who has access to view cache on a machine. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6076 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2017-8854 CVE STATUS: Patched CVE SUMMARY: wolfSSL before 3.10.2 has an out-of-bounds memory access with loading crafted DH parameters, aka a buffer overflow triggered by a malformed temporary DH file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8854 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2017-8855 CVE STATUS: Patched CVE SUMMARY: wolfSSL before 3.11.0 does not prevent wc_DhAgree from accepting a malformed DH key. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8855 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2018-12436 CVE STATUS: Patched CVE SUMMARY: wolfcrypt/src/ecc.c in wolfSSL before 3.15.1.patch allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12436 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2018-16870 CVE STATUS: Patched CVE SUMMARY: It was found that wolfssl before 3.15.7 is vulnerable to a new variant of the Bleichenbacher attack to perform downgrade attacks against TLS. This may lead to leakage of sensible data. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16870 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2019-11873 CVE STATUS: Patched CVE SUMMARY: wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when a current identity size is greater than a client identity size. An attacker sends a crafted hello client packet over the network to a TLSv1.3 wolfSSL server. The length fields of the packet: record length, client hello length, total extensions length, PSK extension length, total identity length, and identity length contain their maximum value which is 2^16. The identity data field of the PSK extension of the packet contains the attack data, to be stored in the undefined memory (RAM) of the server. The size of the data is about 65 kB. Possibly the attacker can perform a remote code execution attack. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11873 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2019-13628 CVE STATUS: Patched CVE SUMMARY: wolfSSL and wolfCrypt 4.0.0 and earlier (when configured without --enable-fpecc, --enable-sp, or --enable-sp-math) contain a timing side channel in ECDSA signature generation. This allows a local attacker, able to precisely measure the duration of signature operations, to infer information about the nonces used and potentially mount a lattice attack to recover the private key used. The issue occurs because ecc.c scalar multiplication might leak the bit length. CVSS v2 BASE SCORE: 1.2 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13628 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2019-14317 CVE STATUS: Patched CVE SUMMARY: wolfSSL and wolfCrypt 4.1.0 and earlier (formerly known as CyaSSL) generate biased DSA nonces. This allows a remote attacker to compute the long term private key from several hundred DSA signatures via a lattice attack. The issue occurs because dsa.c fixes two bits of the generated nonces. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14317 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2019-15651 CVE STATUS: Patched CVE SUMMARY: wolfSSL 4.1.0 has a one-byte heap-based buffer over-read in DecodeCertExtensions in wolfcrypt/src/asn.c because reading the ASN_BOOLEAN byte is mishandled for a crafted DER certificate in GetLength_ex. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15651 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2019-16748 CVE STATUS: Patched CVE SUMMARY: In wolfSSL through 4.1.0, there is a missing sanity check of memory accesses in parsing ASN.1 certificate data while handshaking. Specifically, there is a one-byte heap-based buffer over-read in CheckCertSignature_ex in wolfcrypt/src/asn.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16748 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2019-18840 CVE STATUS: Patched CVE SUMMARY: In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks of memory accesses in parsing ASN.1 certificate data while handshaking. Specifically, there is a one-byte heap-based buffer overflow inside the DecodedCert structure in GetName in wolfcrypt/src/asn.c because the domain name location index is mishandled. Because a pointer is overwritten, there is an invalid free. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18840 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2019-19960 CVE STATUS: Patched CVE SUMMARY: In wolfSSL before 4.3.0, wc_ecc_mulmod_ex does not properly resist side-channel attacks. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19960 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2019-19962 CVE STATUS: Patched CVE SUMMARY: wolfSSL before 4.3.0 mishandles calls to wc_SignatureGenerateHash, leading to fault injection in RSA cryptography. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19962 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2019-19963 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in wolfSSL before 4.3.0 in a non-default configuration where DSA is enabled. DSA signing uses the BEEA algorithm during modular inversion of the nonce, leading to a side-channel attack against the nonce. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-19963 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2019-6439 CVE STATUS: Patched CVE SUMMARY: examples/benchmark/tls_bench.c in a benchmark tool in wolfSSL through 3.15.7 has a heap-based buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6439 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2020-11713 CVE STATUS: Patched CVE SUMMARY: wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11713 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2020-11735 CVE STATUS: Patched CVE SUMMARY: The private-key operations in ecc.c in wolfSSL before 4.4.0 do not use a constant-time modular inverse when mapping to affine coordinates, aka a "projective coordinates leak." CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11735 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2020-12457 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in wolfSSL before 4.5.0. It mishandles the change_cipher_spec (CCS) message processing logic for TLS 1.3. If an attacker sends ChangeCipherSpec messages in a crafted way involving more than one in a row, the server becomes stuck in the ProcessReply() loop, i.e., a denial of service. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12457 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2020-15309 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in wolfSSL before 4.5.0, when single precision is not employed. Local attackers can conduct a cache-timing attack against public key operations. These attackers may already have obtained sensitive information if the affected system has been used for private key operations (e.g., signing with a private key). CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15309 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2020-24585 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the DTLS handshake implementation in wolfSSL before 4.5.0. Clear DTLS application_data messages in epoch 0 do not produce an out-of-order error. Instead, these messages are returned to the application. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24585 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2020-24613 CVE STATUS: Patched CVE SUMMARY: wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in tls13.c. This is an incorrect implementation of the TLS 1.3 client state machine. This allows attackers in a privileged network position to completely impersonate any TLS 1.3 servers, and read or modify potentially sensitive information between clients using the wolfSSL library and these TLS servers. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24613 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2020-36177 CVE STATUS: Patched CVE SUMMARY: RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-of-bounds write for certain relationships between key size and digest size. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36177 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2021-24116 CVE STATUS: Patched CVE SUMMARY: In wolfSSL through 4.6.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 4.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-24116 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2021-3336 CVE STATUS: Patched CVE SUMMARY: DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding certificate). The client side is affected because man-in-the-middle attackers can impersonate TLS 1.3 servers. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3336 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2021-37155 CVE STATUS: Patched CVE SUMMARY: wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure outcome when the serial number in an OCSP request differs from the serial number in the OCSP response. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-37155 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2021-38597 CVE STATUS: Patched CVE SUMMARY: wolfSSL before 4.8.1 incorrectly skips OCSP verification in certain situations of irrelevant response data that contains the NoCheck extension. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38597 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2021-44718 CVE STATUS: Patched CVE SUMMARY: wolfSSL through 5.0.0 allows an attacker to cause a denial of service and infinite loop in the client component by sending crafted traffic from a Machine-in-the-Middle (MITM) position. The root cause is that the client module accepts TLS messages that normally are only sent to TLS servers. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-44718 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2022-23408 CVE STATUS: Patched CVE SUMMARY: wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations. This affects connections (without AEAD) using AES-CBC or DES3 with TLS 1.1 or 1.2 or DTLS 1.1 or 1.2. This occurs because of misplaced memory initialization in BuildMessage in internal.c. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23408 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2022-25638 CVE STATUS: Patched CVE SUMMARY: In wolfSSL before 5.2.0, certificate validation may be bypassed during attempted authentication by a TLS 1.3 client to a TLS 1.3 server. This occurs when the sig_algo field differs between the certificate_verify message and the certificate message. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25638 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2022-25640 CVE STATUS: Patched CVE SUMMARY: In wolfSSL before 5.2.0, a TLS 1.3 server cannot properly enforce a requirement for mutual authentication. A client can simply omit the certificate_verify message from the handshake, and never present a certificate. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25640 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2022-34293 CVE STATUS: Patched CVE SUMMARY: wolfSSL before 5.4.0 allows remote attackers to cause a denial of service via DTLS because a check for return-routability can be skipped. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-34293 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2022-38152 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in wolfSSL before 5.5.0. When a TLS 1.3 client connects to a wolfSSL server and SSL_clear is called on its session, the server crashes with a segmentation fault. This occurs in the second session, which is created through TLS session resumption and reuses the initial struct WOLFSSL. If the server reuses the previous session structure (struct WOLFSSL) by calling wolfSSL_clear(WOLFSSL* ssl) on it, the next received Client Hello (that resumes the previous session) crashes the server. Note that this bug is only triggered when resuming sessions using TLS session resumption. Only servers that use wolfSSL_clear instead of the recommended SSL_free; SSL_new sequence are affected. Furthermore, wolfSSL_clear is part of wolfSSL's compatibility layer and is not enabled by default. It is not part of wolfSSL's native API. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-38152 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2022-38153 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in wolfSSL before 5.5.0 (when --enable-session-ticket is used); however, only version 5.3.0 is exploitable. Man-in-the-middle attackers or a malicious server can crash TLS 1.2 clients during a handshake. If an attacker injects a large ticket (more than 256 bytes) into a NewSessionTicket message in a TLS 1.2 handshake, and the client has a non-empty session cache, the session cache frees a pointer that points to unallocated memory, causing the client to crash with a "free(): invalid pointer" message. NOTE: It is likely that this is also exploitable during TLS 1.3 handshakes between a client and a malicious server. With TLS 1.3, it is not possible to exploit this as a man-in-the-middle. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-38153 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2022-39173 CVE STATUS: Patched CVE SUMMARY: In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow during a TLS 1.3 handshake. This occurs when an attacker supposedly resumes a previous TLS session. During the resumption Client Hello a Hello Retry Request must be triggered. Both Client Hellos are required to contain a list of duplicate cipher suites to trigger the buffer overflow. In total, two Client Hellos have to be sent: one in the resumed session, and a second one as a response to a Hello Retry Request message. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-39173 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2022-42905 CVE STATUS: Patched CVE SUMMARY: In wolfSSL before 5.5.2, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS 1.3 client or network attacker can trigger a buffer over-read on the heap of 5 bytes. (WOLFSSL_CALLBACKS is only intended for debugging.) CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42905 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2022-42961 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in wolfSSL before 5.5.0. A fault injection attack on RAM via Rowhammer leads to ECDSA key disclosure. Users performing signing operations with private ECC keys, such as in server-side TLS connections, might leak faulty ECC signatures. These signatures can be processed via an advanced technique for ECDSA key recovery. (In 5.5.0 and later, WOLFSSL_CHECK_SIG_FAULTS can be used to address the vulnerability.) CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-42961 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2023-3724 CVE STATUS: Patched CVE SUMMARY: If a TLS 1.3 client gets neither a PSK (pre shared key) extension nor a KSE (key share extension) when connecting to a malicious server, a default predictable buffer gets used for the IKM (Input Keying Material) value when generating the session master secret. Using a potentially known IKM value when generating the session master secret key compromises the key generated, allowing an eavesdropper to reconstruct it and potentially allowing access to or meddling with message contents in the session. This issue does not affect client validation of connected servers, nor expose private key information, but could result in an insecure TLS 1.3 session when not controlling both sides of the connection. wolfSSL recommends that TLS 1.3 client side users update the version of wolfSSL used.  CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3724 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2023-6935 CVE STATUS: Patched CVE SUMMARY: wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new variation of a timing Bleichenbacher style attack, when built with the following options to configure: --enable-all CFLAGS="-DWOLFSSL_STATIC_RSA" The define “WOLFSSL_STATIC_RSA” enables static RSA cipher suites, which is not recommended, and has been disabled by default since wolfSSL 3.6.6.  Therefore the default build since 3.6.6, even with "--enable-all", is not vulnerable to the Marvin Attack. The vulnerability is specific to static RSA cipher suites, and expected to be padding-independent. The vulnerability allows an attacker to decrypt ciphertexts and forge signatures after probing with a large number of test observations. However the server’s private key is not exposed. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6935 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2023-6936 CVE STATUS: Patched CVE SUMMARY: In wolfSSL prior to 5.6.6, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS client or network attacker can trigger a buffer over-read on the heap of 5 bytes (WOLFSSL_CALLBACKS is only intended for debugging). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6936 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2023-6937 CVE STATUS: Patched CVE SUMMARY: wolfSSL prior to 5.6.6 did not check that messages in one (D)TLS record do not span key boundaries. As a result, it was possible to combine (D)TLS messages using different keys into one (D)TLS record. The most extreme edge case is that, in (D)TLS 1.3, it was possible that an unencrypted (D)TLS 1.3 record from the server containing first a ServerHello message and then the rest of the first server flight would be accepted by a wolfSSL client. In (D)TLS 1.3 the handshake is encrypted after the ServerHello but a wolfSSL client would accept an unencrypted flight from the server. This does not compromise key negotiation and authentication so it is assigned a low severity rating. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6937 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2024-0901 CVE STATUS: Patched CVE SUMMARY: Remotely executed SEGV and out of bounds read allows malicious packet sender to crash or cause an out of bounds read via sending a malformed packet with the correct length. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-0901 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2024-1543 CVE STATUS: Patched CVE SUMMARY: The side-channel protected T-Table implementation in wolfSSL up to version 5.6.5 protects against a side-channel attacker with cache-line resolution. In a controlled environment such as Intel SGX, an attacker can gain a per instruction sub-cache-line resolution allowing them to break the cache-line-level protection. For details on the attack refer to: https://doi.org/10.46586/tches.v2024.i1.457-500 CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-1543 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2024-1544 CVE STATUS: Patched CVE SUMMARY: Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor q_e by dividing the upper two digits (a digit having e.g. a size of 8 byte) of r by the upper digit of n and then decrements q_e in a loop until it has the correct size. Observing the number of times q_e is decremented through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. For SECP160R1, e.g., we find a bias of 15 bits. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-1544 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2024-1545 CVE STATUS: Patched CVE SUMMARY: Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the RsaKey structure. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-1545 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2024-2881 CVE STATUS: Patched CVE SUMMARY: Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the ed25519_key structure. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-2881 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2024-5288 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in wolfSSL before 5.7.0. A safe-error attack via Rowhammer, namely FAULT+PROBE, leads to ECDSA key disclosure. When WOLFSSL_CHECK_SIG_FAULTS is used in signing operations with private ECC keys, such as in server-side TLS connections, the connection is halted if any fault occurs. The success rate in a certain amount of connection requests can be processed via an advanced technique for ECDSA key recovery. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-5288 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2024-5814 CVE STATUS: Patched CVE SUMMARY: A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. https://doi.org/10.46586/tches.v2024.i1.457-500 CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 5.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-5814 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2024-5991 CVE STATUS: Patched CVE SUMMARY: In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. If a caller was attempting to do a name check on a non-NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator.This issue affects wolfSSL: through 5.7.0. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 10.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-5991 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2025-11931 CVE STATUS: Patched CVE SUMMARY: Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. This issue is hit specifically with a call to the function wc_XChaCha20Poly1305_Decrypt() which is not used with TLS connections, only from direct calls from an application. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.2 CVSS v4 BASE SCORE: 2.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-11931 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2025-11932 CVE STATUS: Patched CVE SUMMARY: The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 2.3 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-11932 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2025-11933 CVE STATUS: Patched CVE SUMMARY: Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL 5.8.2 and earlier on multiple platforms allows a remote unauthenticated attacker to potentially cause a denial-of-service via a crafted ClientHello message with duplicate CKS extensions. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 2.3 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-11933 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2025-11934 CVE STATUS: Patched CVE SUMMARY: Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256, if the client supports ECDSA P256. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 2.7 CVSS v4 BASE SCORE: 2.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-11934 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2025-11935 CVE STATUS: Patched CVE SUMMARY: With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke without a key_share extension. The re-use of an authenticated PSK connection that on the clients side unexpectedly did not have PFS, reduces the security of the connection. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 6.3 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-11935 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2025-11936 CVE STATUS: Patched CVE SUMMARY: Improper input validation in the TLS 1.3 KeyShareEntry parsing in wolfSSL v5.8.2 on multiple platforms allows a remote unauthenticated attacker to cause a denial-of-service by sending a crafted ClientHello message containing duplicate KeyShareEntry values for the same supported group, leading to excessive CPU and memory consumption during ClientHello processing. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 6.3 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-11936 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2025-12888 CVE STATUS: Patched CVE SUMMARY: Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the Xtensa-based ESP32 chips. If targeting Xtensa it is recommended to use the low memory implementations of X25519, which is now turned on as the default for Xtensa. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 1.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-12888 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2025-12889 CVE STATUS: Patched CVE SUMMARY: With TLS 1.2 connections a client can use any digest, specifically a weaker digest that is supported, rather than those in the CertificateRequest. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.4 CVSS v4 BASE SCORE: 2.3 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-12889 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2025-7394 CVE STATUS: Patched CVE SUMMARY: In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() after fork() is called. This can lead to weak or predictable random numbers generated in applications that are both using RAND_bytes() and doing fork() operations. This only affects applications explicitly calling RAND_bytes() after fork() and does not affect any internal TLS operations. Although RAND_bytes() documentation in OpenSSL calls out not being safe for use with fork() without first calling RAND_poll(), an additional code change was also made in wolfSSL to make RAND_bytes() behave similar to OpenSSL after a fork() call without calling RAND_poll(). Now the Hash-DRBG used gets reseeded after detecting running in a new process. If making use of RAND_bytes() and calling fork() we recommend updating to the latest version of wolfSSL. Thanks to Per Allansson from Appgate for the report. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 7.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-7394 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2025-7395 CVE STATUS: Patched CVE SUMMARY: A certificate verification error in wolfSSL when building with the WOLFSSL_SYS_CA_CERTS and WOLFSSL_APPLE_NATIVE_CERT_VALIDATION options results in the wolfSSL client failing to properly verify the server certificate's domain name, allowing any certificate issued by a trusted CA to be accepted regardless of the hostname. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 9.2 VECTOR: NETWORK VECTORSTRING: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:D/RE:X/U:Red MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-7395 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2025-7396 CVE STATUS: Patched CVE SUMMARY: In wolfSSL release 5.8.2 blinding support is turned on by default for Curve25519 in applicable builds. The blinding configure option is only for the base C implementation of Curve25519. It is not needed, or available with; ARM assembly builds, Intel assembly builds, and the small Curve25519 feature. While the side-channel attack on extracting a private key would be very difficult to execute in practice, enabling blinding provides an additional layer of protection for devices that may be more susceptible to physical access or side-channel observation. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.6 CVSS v4 BASE SCORE: 5.6 VECTOR: PHYSICAL VECTORSTRING: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-7396 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-0819 CVE STATUS: Unpatched CVE SUMMARY: A stack buffer overflow vulnerability exists in wolfSSL's PKCS7 SignedData encoding functionality. In wc_PKCS7_BuildSignedAttributes(), when adding custom signed attributes, the code passes an incorrect capacity value (esd->signedAttribsCount) to EncodeAttributes() instead of the remaining available space in the fixed-size signedAttribs[7] array. When an application sets pkcs7->signedAttribsSz to a value greater than MAX_SIGNED_ATTRIBS_SZ (default 7) minus the number of default attributes already added, EncodeAttributes() writes beyond the array bounds, causing stack memory corruption. In WOLFSSL_SMALL_STACK builds, this becomes heap corruption. Exploitation requires an application that allows untrusted input to control the signedAttribs array size when calling wc_PKCS7_EncodeSignedData() or related signing functions. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 2.2 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-0819 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-1005 CVE STATUS: Unpatched CVE SUMMARY: Integer underflow in wolfSSL packet sniffer <= 5.8.4 allows an attacker to cause a buffer overflow in the AEAD decryption path by injecting a TLS record shorter than the explicit IV plus authentication tag into traffic inspected by ssl_DecodePacket. The underflow wraps a 16-bit length to a large value that is passed to AEAD decryption routines, causing heap buffer overflow and a crash. An unauthenticated attacker can trigger this remotely via malformed TLS Application Data records. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 2.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-1005 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-2645 CVE STATUS: Unpatched CVE SUMMARY: In wolfSSL 5.8.2 and earlier, a logic flaw existed in the TLS 1.2 server state machine implementation. The server could incorrectly accept the CertificateVerify message before the ClientKeyExchange message had been received. This issue affects wolfSSL before 5.8.4 (wolfSSL 5.8.2 and earlier is vulnerable, 5.8.4 is not vulnerable). In 5.8.4 wolfSSL would detect the issue later in the handshake. 5.9.0 was further hardened to catch the issue earlier in the handshake. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 5.5 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-2645 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-2646 CVE STATUS: Unpatched CVE SUMMARY: A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function. When deserializing session data with SESSION_CERTS enabled, certificate and session id lengths are read from an untrusted input without bounds validation, allowing an attacker to overflow fixed-size buffers and corrupt heap memory. A maliciously crafted session would need to be loaded from an external source to trigger this vulnerability. Internal sessions were not vulnerable. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 5.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-2646 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-3229 CVE STATUS: Unpatched CVE SUMMARY: An integer overflow vulnerability existed in the static function wolfssl_add_to_chain, that caused heap corruption when certificate data was written out of bounds of an insufficiently sized certificate buffer. wolfssl_add_to_chain is called by these API: wolfSSL_CTX_add_extra_chain_cert, wolfSSL_CTX_add1_chain_cert, wolfSSL_add0_chain_cert. These API are enabled for 3rd party compatibility features: enable-opensslall, enable-opensslextra, enable-lighty, enable-stunnel, enable-nginx, enable-haproxy. This issue is not remotely exploitable, and would require that the application context loading certificates is compromised. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 1.2 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3229 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-3230 CVE STATUS: Unpatched CVE SUMMARY: Missing required cryptographic step in the TLS 1.3 client HelloRetryRequest handshake logic in wolfSSL could lead to a compromise in the confidentiality of TLS-protected communications via a crafted HelloRetryRequest followed by a ServerHello message that omits the required key_share extension, resulting in derivation of predictable traffic secrets from (EC)DHE shared secret. This issue does not affect the client's authentication of the server during TLS handshakes. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 2.7 CVSS v4 BASE SCORE: 1.2 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3230 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-3503 CVE STATUS: Patched CVE SUMMARY: Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect seed/pointer values during Keccak-based expansion. This issue affects wolfSSL (wolfCrypt): commit hash d86575c766e6e67ef93545fa69c04d6eb49400c6. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.2 CVSS v4 BASE SCORE: 4.3 VECTOR: PHYSICAL VECTORSTRING: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3503 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-3547 CVE STATUS: Unpatched CVE SUMMARY: Out-of-bounds read in ALPN parsing due to incomplete validation. wolfSSL 5.8.4 and earlier contained an out-of-bounds read in ALPN handling when built with ALPN enabled (HAVE_ALPN / --enable-alpn). A crafted ALPN protocol list could trigger an out-of-bounds read, leading to a potential process crash (denial of service). Note that ALPN is disabled by default, but is enabled for these 3rd party compatibility features: enable-apachehttpd, enable-bind, enable-curl, enable-haproxy, enable-hitch, enable-lighty, enable-jni, enable-nginx, enable-quic. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3547 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-3548 CVE STATUS: Unpatched CVE SUMMARY: Two buffer overflow vulnerabilities existed in the wolfSSL CRL parser when parsing CRL numbers: a heap-based buffer overflow could occur when improperly storing the CRL number as a hexadecimal string, and a stack-based overflow for sufficiently sized CRL numbers. With appropriately crafted CRLs, either of these out of bound writes could be triggered. Note this only affects builds that specifically enable CRL support, and the user would need to load a CRL from an untrusted source. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 7.2 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3548 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-3549 CVE STATUS: Unpatched CVE SUMMARY: Heap Overflow in TLS 1.3 ECH parsing. An integer underflow existed in ECH extension parsing logic when calculating a buffer length, which resulted in writing beyond the bounds of an allocated buffer. Note that in wolfSSL, ECH is off by default, and the ECH standard is still evolving. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 8.3 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3549 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-3579 CVE STATUS: Patched CVE SUMMARY: wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time software implementation for 64-bit multiplication. The compiler-inserted __muldi3 subroutine executes in variable time based on operand values. This affects multiple SP math functions (sp_256_mul_9, sp_256_sqr_9, etc.), leading to a timing side-channel that may expose sensitive cryptographic data. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 2.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3579 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-3580 CVE STATUS: Patched CVE SUMMARY: In wolfSSL 5.8.4, constant-time masking logic in sp_256_get_entry_256_9 is optimized into conditional branches (bnez) by GCC when targeting RISC-V RV32I with -O3. This transformation breaks the side-channel resistance of ECC scalar multiplication, potentially allowing a local attacker to recover secret keys via timing analysis. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 2.1 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3580 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-3849 CVE STATUS: Unpatched CVE SUMMARY: Stack Buffer Overflow in wc_HpkeLabeledExtract via Oversized ECH Config. A vulnerability existed in wolfSSL 5.8.4 ECH (Encrypted Client Hello) support, where a maliciously crafted ECH config could cause a stack buffer overflow on the client side, leading to potential remote execution and client program crash. This could be exploited by a malicious TLS server supporting ECH. Note that ECH is off by default, and is only enabled with enable-ech. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 6.9 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3849 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-4159 CVE STATUS: Unpatched CVE SUMMARY: 1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with zero-length encrypted content. Note that PKCS7 support is disabled by default. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 1.2 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-4159 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-4395 CVE STATUS: Unpatched CVE SUMMARY: Heap-based buffer overflow in the KCAPI ECC code path of wc_ecc_import_x963_ex() in wolfSSL wolfcrypt allows a remote attacker to write attacker-controlled data past the bounds of the pubkey_raw buffer via a crafted oversized EC public key point. The WOLFSSL_KCAPI_ECC code path copies the input to key->pubkey_raw (132 bytes) using XMEMCPY without a bounds check, unlike the ATECC code path which includes a length validation. This can be triggered during TLS key exchange when a malicious peer sends a crafted ECPoint in ServerKeyExchange. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 1.3 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-4395 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5187 CVE STATUS: Unpatched CVE SUMMARY: Two potential heap out-of-bounds write locations existed in DecodeObjectId() in wolfcrypt/src/asn.c. First, a bounds check only validates one available slot before writing two OID arc values (out[0] and out[1]), enabling a 2-byte out-of-bounds write when outSz equals 1. Second, multiple callers pass sizeof(decOid) (64 bytes on 64-bit platforms) instead of the element count MAX_OID_SZ (32), causing the function to accept crafted OIDs with 33 or more arcs that write past the end of the allocated buffer. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 2.3 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5187 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5188 CVE STATUS: Unpatched CVE SUMMARY: An integer underflow issue exists in wolfSSL when parsing the Subject Alternative Name (SAN) extension of X.509 certificates. A malformed certificate can specify an entry length larger than the enclosing sequence, causing the internal length counter to wrap during parsing. This results in incorrect handling of certificate data. The issue is limited to configurations using the original ASN.1 parsing implementation which is off by default. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 2.3 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5188 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5194 CVE STATUS: Unpatched CVE SUMMARY: Missing hash/digest size and OID checks allow digests smaller than allowed when verifying ECDSA certificates, or smaller than is appropriate for the relevant key type, to be accepted by signature verification functions. This could lead to reduced security of ECDSA certificate-based authentication if the public CA key used is also known. This affects ECDSA/ECC verification when EdDSA or ML-DSA is also enabled. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 9.3 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5194 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5263 CVE STATUS: Unpatched CVE SUMMARY: URI nameConstraints from constrained intermediate CAs are parsed but not enforced during certificate chain verification in wolfcrypt/src/asn.c. A compromised or malicious sub-CA could issue leaf certificates with URI SAN entries that violate the nameConstraints of the issuing CA, and wolfSSL would accept them as valid. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 7.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5263 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5264 CVE STATUS: Unpatched CVE SUMMARY: Heap buffer overflow in DTLS 1.3 ACK message processing. A remote attacker can send a crafted DTLS 1.3 ACK message that triggers a heap buffer overflow. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 8.3 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5264 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5295 CVE STATUS: Unpatched CVE SUMMARY: A stack buffer overflow exists in wolfSSL's PKCS7 implementation in the wc_PKCS7_DecryptOri() function in wolfcrypt/src/pkcs7.c. When processing a CMS EnvelopedData message containing an OtherRecipientInfo (ORI) recipient, the function copies an ASN.1-parsed OID into a fixed 32-byte stack buffer (oriOID[MAX_OID_SZ]) via XMEMCPY without first validating that the parsed OID length does not exceed MAX_OID_SZ. A crafted CMS EnvelopedData message with an ORI recipient containing an OID longer than 32 bytes triggers a stack buffer overflow. Exploitation requires the library to be built with --enable-pkcs7 (disabled by default) and the application to have registered an ORI decrypt callback via wc_PKCS7_SetOriDecryptCb(). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.0 CVSS v4 BASE SCORE: 5.9 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5295 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5392 CVE STATUS: Unpatched CVE SUMMARY: Heap out-of-bounds read in PKCS7 parsing. A crafted PKCS7 message can trigger an OOB read on the heap. The missing bounds check is in the indefinite-length end-of-content verification loop in PKCS7_VerifySignedData(). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.4 CVSS v4 BASE SCORE: 2.3 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5392 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5393 CVE STATUS: Unpatched CVE SUMMARY: Dual-Algorithm CertificateVerify out-of-bounds read. When processing a dual-algorithm CertificateVerify message, an out-of-bounds read can occur on crafted input. This can only occur when --enable-experimental and --enable-dual-alg-certs is used when building wolfSSL. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 6.3 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5393 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5446 CVE STATUS: Unpatched CVE SUMMARY: In wolfSSL, ARIA-GCM cipher suites used in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte GCM nonce for every application-data record. Because wc_AriaEncrypt is stateless and passes the caller-supplied IV verbatim to the MagicCrypto SDK with no internal counter, and because the explicit IV is zero-initialized at session setup and never incremented in non-FIPS builds. This vulnerability affects wolfSSL builds configured with --enable-aria and the proprietary MagicCrypto SDK (a non-default, opt-in configuration required for Korean regulatory deployments). AES-GCM is not affected because wc_AesGcmEncrypt_ex maintains an internal invocation counter independently of the call-site guard. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 6.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5446 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5447 CVE STATUS: Unpatched CVE SUMMARY: Heap buffer overflow in CertFromX509 via AuthorityKeyIdentifier size confusion. A heap buffer overflow occurs when converting an X.509 certificate internally due to incorrect size handling of the AuthorityKeyIdentifier extension. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 6.3 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5447 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5448 CVE STATUS: Unpatched CVE SUMMARY: X.509 date buffer overflow in wolfSSL_X509_notAfter / wolfSSL_X509_notBefore. A buffer overflow may occur when parsing date fields from a crafted X.509 certificate via the compatibility layer API. This is only triggered when calling these two APIs directly from an application, and does not affect TLS or certificate verify operations in wolfSSL. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 2.3 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5448 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5460 CVE STATUS: Unpatched CVE SUMMARY: A heap use-after-free exists in wolfSSL's TLS 1.3 post-quantum cryptography (PQC) hybrid KeyShare processing. In the error handling path of TLSX_KeyShare_ProcessPqcHybridClient() in src/tls.c, the inner function TLSX_KeyShare_ProcessPqcClient_ex() frees a KyberKey object upon encountering an error. The caller then invokes TLSX_KeyShare_FreeAll(), which attempts to call ForceZero() on the already-freed KyberKey, resulting in writes of zero bytes over freed heap memory. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 6.3 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5460 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5466 CVE STATUS: Unpatched CVE SUMMARY: wolfSSL's ECCSI signature verifier `wc_VerifyEccsiHash` decodes the `r` and `s` scalars from the signature blob via `mp_read_unsigned_bin` with no check that they lie in `[1, q-1]`. A crafted forged signature could verify against any message for any identity, using only publicly-known constants. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 7.6 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5466 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5477 CVE STATUS: Unpatched CVE SUMMARY: An integer overflow existed in the wolfCrypt CMAC implementation, that could be exploited to forge CMAC tags. The function wc_CmacUpdate used the guard `if (cmac->totalSz != 0)` to skip XOR-chaining on the first block (where digest is all-zeros and the XOR is a no-op). However, totalSz is word32 and wraps to zero after 2^28 block flushes (4 GiB), causing the guard to erroneously discard the live CBC-MAC chain state. Any two messages sharing a common suffix beyond the 4 GiB mark then produce identical CMAC tags, enabling a zero-work prefix-substitution forgery. The fix removes the guard, making the XOR unconditional; the no-op property on the first block is preserved because digest is zero-initialized by wc_InitCmac_ex. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 8.2 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5477 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5479 CVE STATUS: Unpatched CVE SUMMARY: In wolfSSL's EVP layer, the ChaCha20-Poly1305 AEAD decryption path in wolfSSL_EVP_CipherFinal (and related EVP cipher finalization functions) fails to verify the authentication tag before returning plaintext to the caller. When an application uses the EVP API to perform ChaCha20-Poly1305 decryption, the implementation computes or accepts the tag but does not compare it against the expected value. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 7.6 VECTOR: ADJACENT_NETWORK VECTORSTRING: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5479 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5500 CVE STATUS: Unpatched CVE SUMMARY: wolfSSL's wc_PKCS7_DecodeAuthEnvelopedData() does not properly sanitize the AES-GCM authentication tag length received and has no lower bounds check. A man-in-the-middle can therefore truncate the mac field from 16 bytes to 1 byte, reducing the tag check from 2⁻¹²⁸ to 2⁻⁸. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 8.7 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5500 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5501 CVE STATUS: Unpatched CVE SUMMARY: wolfSSL_X509_verify_cert in the OpenSSL compatibility layer accepts a certificate chain in which the leaf's signature is not checked, if the attacker supplies an untrusted intermediate with Basic Constraints `CA:FALSE` that is legitimately signed by a trusted root. An attacker who obtains any leaf certificate from a trusted CA (e.g. a free DV cert from Let's Encrypt) can forge a certificate for any subject name with any public key and arbitrary signature bytes, and the function returns `WOLFSSL_SUCCESS` / `X509_V_OK`. The native wolfSSL TLS handshake path (`ProcessPeerCerts`) is not susceptible and the issue is limited to applications using the OpenSSL compatibility API directly, which would include integrations of wolfSSL into nginx and haproxy. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 8.6 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5501 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5503 CVE STATUS: Unpatched CVE SUMMARY: In TLSX_EchChangeSNI, the ctx->extensions branch set extensions unconditionally even when TLSX_Find returned NULL. This caused TLSX_UseSNI to attach the attacker-controlled publicName to the shared WOLFSSL_CTX when no inner SNI was configured. TLSX_EchRestoreSNI then failed to clean it up because its removal was gated on serverNameX != NULL. The inner ClientHello was sized before the pollution but written after it, causing TLSX_SNI_Write to memcpy 255 bytes past the allocation boundary. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 6.9 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5503 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5504 CVE STATUS: Unpatched CVE SUMMARY: A padding oracle exists in wolfSSL's PKCS7 CBC decryption that could allow an attacker to recover plaintext through repeated decryption queries with modified ciphertext. In previous versions of wolfSSL the interior padding bytes are not validated. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 6.3 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5504 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5507 CVE STATUS: Unpatched CVE SUMMARY: When restoring a session from cache, a pointer from the serialized session data is used in a free operation without validation. An attacker who can poison the session cache could trigger an arbitrary free. Exploitation requires the ability to inject a crafted session into the cache and for the application to call specific session restore APIs. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.0 CVSS v4 BASE SCORE: 4.1 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5507 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5772 CVE STATUS: Unpatched CVE SUMMARY: A 1-byte stack buffer over-read was identified in the MatchDomainName function (src/internal.c) during wildcard hostname validation when the LEFT_MOST_WILDCARD_ONLY flag is active. If a wildcard * exhausts the entire hostname string, the function reads one byte past the buffer without a bounds check, which could cause a crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 2.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5772 LAYER: meta-networking PACKAGE NAME: wolfssl PACKAGE VERSION: 5.7.2 CVE: CVE-2026-5778 CVE STATUS: Unpatched CVE SUMMARY: Integer underflow in wolfSSL packet sniffer <= 5.9.0 allows an attacker to cause a program crash in the AEAD decryption path by injecting a TLS record shorter than the explicit IV plus authentication tag into traffic inspected by ssl_DecodePacket. The underflow wraps a 16-bit length to a large value that is passed to AEAD decryption routines, causing a large out-of-bounds read and crash. An unauthenticated attacker can trigger this remotely via malformed TLS Application Data records. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 2.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5778 LAYER: meta PACKAGE NAME: boost PACKAGE VERSION: 1.84.0 CVE: CVE-2008-0171 CVE STATUS: Patched CVE SUMMARY: regex/v4/perl_matcher_non_recursive.hpp in the Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent attackers to cause a denial of service (failed assertion and crash) via an invalid regular expression. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0171 LAYER: meta PACKAGE NAME: boost PACKAGE VERSION: 1.84.0 CVE: CVE-2008-0172 CVE STATUS: Patched CVE SUMMARY: The get_repeat_type function in basic_regex_creator.hpp in the Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent attackers to cause a denial of service (NULL dereference and crash) via an invalid regular expression. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0172 LAYER: meta PACKAGE NAME: boost PACKAGE VERSION: 1.84.0 CVE: CVE-2013-0252 CVE STATUS: Patched CVE SUMMARY: boost::locale::utf::utf_traits in the Boost.Locale library in Boost 1.48 through 1.52 does not properly detect certain invalid UTF-8 sequences, which might allow remote attackers to bypass input validation protection mechanisms via crafted trailing bytes. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0252 LAYER: meta PACKAGE NAME: boost PACKAGE VERSION: 1.84.0 CVE: CVE-2016-9840 CVE STATUS: Patched CVE SUMMARY: inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9840 LAYER: meta PACKAGE NAME: librsvg PACKAGE VERSION: 2.57.1 CVE: CVE-2011-3146 CVE STATUS: Patched CVE SUMMARY: librsvg before 2.34.1 uses the node name to identify the type of node, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference) and possibly execute arbitrary code via a SVG file with a node with the element name starting with "fe," which is misidentified as a RsvgFilterPrimitive. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3146 LAYER: meta PACKAGE NAME: librsvg PACKAGE VERSION: 2.57.1 CVE: CVE-2013-1881 CVE STATUS: Patched CVE SUMMARY: GNOME libsvg before 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1881 LAYER: meta PACKAGE NAME: librsvg PACKAGE VERSION: 2.57.1 CVE: CVE-2015-7557 CVE STATUS: Patched CVE SUMMARY: The _rsvg_node_poly_build_path function in rsvg-shapes.c in librsvg before 2.40.7 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via an odd number of elements in a coordinate pair in an SVG document. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7557 LAYER: meta PACKAGE NAME: librsvg PACKAGE VERSION: 2.57.1 CVE: CVE-2015-7558 CVE STATUS: Patched CVE SUMMARY: librsvg before 2.40.12 allows context-dependent attackers to cause a denial of service (infinite loop, stack consumption, and application crash) via cyclic references in an SVG document. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7558 LAYER: meta PACKAGE NAME: librsvg PACKAGE VERSION: 2.57.1 CVE: CVE-2016-4348 CVE STATUS: Patched CVE SUMMARY: The _rsvg_css_normalize_font_size function in librsvg 2.40.2 allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via circular definitions in an SVG document. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4348 LAYER: meta PACKAGE NAME: librsvg PACKAGE VERSION: 2.57.1 CVE: CVE-2016-6163 CVE STATUS: Patched CVE SUMMARY: The rsvg_pattern_fix_fallback function in rsvg-paint_server.c in librsvg2 2.40.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted svg file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6163 LAYER: meta PACKAGE NAME: librsvg PACKAGE VERSION: 2.57.1 CVE: CVE-2017-11464 CVE STATUS: Patched CVE SUMMARY: A SIGFPE is raised in the function box_blur_line of rsvg-filter.c in GNOME librsvg 2.40.17 during an attempted parse of a crafted SVG file, because of incorrect protection against division by zero. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11464 LAYER: meta PACKAGE NAME: librsvg PACKAGE VERSION: 2.57.1 CVE: CVE-2018-1000041 CVE STATUS: Ignored CVE DETAIL: not-applicable-platform CVE DESCRIPTION: Issue only applies on Windows CVE SUMMARY: GNOME librsvg version before commit c6ddf2ed4d768fd88adbea2b63f575cd523022ea contains a Improper input validation vulnerability in rsvg-io.c that can result in the victim's Windows username and NTLM password hash being leaked to remote attackers through SMB. This attack appear to be exploitable via The victim must process a specially crafted SVG file containing an UNC path on Windows. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000041 LAYER: meta PACKAGE NAME: librsvg PACKAGE VERSION: 2.57.1 CVE: CVE-2019-20446 CVE STATUS: Patched CVE SUMMARY: In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20446 LAYER: meta PACKAGE NAME: librsvg PACKAGE VERSION: 2.57.1 CVE: CVE-2023-38633 CVE STATUS: Patched CVE SUMMARY: A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38633 LAYER: meta PACKAGE NAME: speex PACKAGE VERSION: 1.2.1 CVE: CVE-2008-1686 CVE STATUS: Patched CVE SUMMARY: Array index vulnerability in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, xine-lib before 1.1.12, and many other products, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1686 LAYER: meta PACKAGE NAME: speex PACKAGE VERSION: 1.2.1 CVE: CVE-2020-23903 CVE STATUS: Patched CVE SUMMARY: A Divide by Zero vulnerability in the function static int read_samples of Speex v1.2 allows attackers to cause a denial of service (DoS) via a crafted WAV file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-23903 LAYER: meta PACKAGE NAME: speex PACKAGE VERSION: 1.2.1 CVE: CVE-2020-23904 CVE STATUS: Patched CVE SUMMARY: A stack buffer overflow in speexenc.c of Speex v1.2 allows attackers to cause a denial of service (DoS) via a crafted WAV file. NOTE: the vendor states "I cannot reproduce it" and it "is a demo program. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-23904 LAYER: meta PACKAGE NAME: libxfixes PACKAGE VERSION: 1_6.0.1 CVE: CVE-2013-1983 CVE STATUS: Patched CVE SUMMARY: Integer overflow in X.org libXfixes 5.0 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the XFixesGetCursorImage function. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1983 LAYER: meta PACKAGE NAME: libxfixes PACKAGE VERSION: 1_6.0.1 CVE: CVE-2016-7944 CVE STATUS: Patched CVE SUMMARY: Integer overflow in X.org libXfixes before 5.0.3 on 32-bit platforms might allow remote X servers to gain privileges via a length value of INT_MAX, which triggers the client to stop reading data and get out of sync. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7944 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2007-4770 CVE STATUS: Patched CVE SUMMARY: libicu in International Components for Unicode (ICU) 3.8.1 and earlier attempts to process backreferences to the nonexistent capture group zero (aka \0), which might allow context-dependent attackers to read from, or write to, out-of-bounds memory locations, related to corruption of REStackFrames. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4770 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2007-4771 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack. NOTE: some of these details are obtained from third party information. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4771 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2011-4599 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the _canonicalize function in common/uloc.c in International Components for Unicode (ICU) before 49.1 allows remote attackers to execute arbitrary code via a crafted locale ID that is not properly handled during variant canonicalization. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4599 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2014-7923 CVE STATUS: Patched CVE SUMMARY: The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a look-behind expression. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7923 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2014-7926 CVE STATUS: Patched CVE SUMMARY: The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a zero-length quantifier. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7926 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2014-7940 CVE STATUS: Patched CVE SUMMARY: The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7940 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2014-8146 CVE STATUS: Patched CVE SUMMARY: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 does not properly track directionally isolated pieces of text, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8146 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2014-8147 CVE STATUS: Patched CVE SUMMARY: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8147 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2014-9654 CVE STATUS: Patched CVE SUMMARY: The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40.0.2214.91, calculates certain values without ensuring that they can be represented in a 24-bit field, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted string, a related issue to CVE-2014-7923. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9654 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2014-9911 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the ures_getByKeyWithFallback function in common/uresbund.cpp in International Components for Unicode (ICU) before 54.1 for C/C++ allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted uloc_getDisplayName call. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9911 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2015-5922 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in International Components for Unicode (ICU) before 53.1.0, as used in Apple OS X before 10.11 and watchOS before 2, has unknown impact and attack vectors. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5922 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2016-6293 CVE STATUS: Patched CVE SUMMARY: The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a '\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6293 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2016-7415 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the Locale class in common/locid.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long locale string. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7415 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2017-14952 CVE STATUS: Patched CVE SUMMARY: Double free in i18n/zonemeta.cpp in International Components for Unicode (ICU) for C/C++ through 59.1 allows remote attackers to execute arbitrary code via a crafted string, aka a "redundant UVector entry clean up function call" issue. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14952 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2017-15396 CVE STATUS: Patched CVE SUMMARY: A stack buffer overflow in NumberingSystem in International Components for Unicode (ICU) for C/C++ before 60.2, as used in V8 in Google Chrome prior to 62.0.3202.75 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15396 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2017-15422 CVE STATUS: Patched CVE SUMMARY: Integer overflow in international date handling in International Components for Unicode (ICU) for C/C++ before 60.1, as used in V8 in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15422 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2017-17484 CVE STATUS: Patched CVE SUMMARY: The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17484 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2017-7867 CVE STATUS: Patched CVE SUMMARY: International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7867 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2017-7868 CVE STATUS: Patched CVE SUMMARY: International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7868 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2018-18928 CVE STATUS: Patched CVE SUMMARY: International Components for Unicode (ICU) for C/C++ 63.1 has an integer overflow in number::impl::DecimalQuantity::toScientificString() in i18n/number_decimalquantity.cpp. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18928 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2020-10531 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10531 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2020-21913 CVE STATUS: Patched CVE SUMMARY: International Components for Unicode (ICU-20850) v66.1 was discovered to contain a use after free bug in the pkg_createWithAssemblyCode function in the file tools/pkgdata/pkgdata.cpp. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21913 LAYER: meta PACKAGE NAME: icu PACKAGE VERSION: 74-2 CVE: CVE-2025-5222 CVE STATUS: Patched CVE SUMMARY: A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-5222 LAYER: meta PACKAGE NAME: libxkbcommon PACKAGE VERSION: 1.6.0 CVE: CVE-2018-15853 CVE STATUS: Patched CVE SUMMARY: Endless recursion exists in xkbcomp/expr.c in xkbcommon and libxkbcommon before 0.8.1, which could be used by local attackers to crash xkbcommon users by supplying a crafted keymap file that triggers boolean negation. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15853 LAYER: meta PACKAGE NAME: libxkbcommon PACKAGE VERSION: 1.6.0 CVE: CVE-2018-15857 CVE STATUS: Patched CVE SUMMARY: An invalid free in ExprAppendMultiKeysymList in xkbcomp/ast-build.c in xkbcommon before 0.8.1 could be used by local attackers to crash xkbcommon keymap parsers or possibly have unspecified other impact by supplying a crafted keymap file. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15857 LAYER: meta PACKAGE NAME: libxkbcommon PACKAGE VERSION: 1.6.0 CVE: CVE-2018-15858 CVE STATUS: Patched CVE SUMMARY: Unchecked NULL pointer usage when handling invalid aliases in CopyKeyAliasesToKeymap in xkbcomp/keycodes.c in xkbcommon before 0.8.1 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15858 LAYER: meta PACKAGE NAME: libxkbcommon PACKAGE VERSION: 1.6.0 CVE: CVE-2018-15859 CVE STATUS: Patched CVE SUMMARY: Unchecked NULL pointer usage when parsing invalid atoms in ExprResolveLhs in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because lookup failures are mishandled. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15859 LAYER: meta PACKAGE NAME: libxkbcommon PACKAGE VERSION: 1.6.0 CVE: CVE-2018-15861 CVE STATUS: Patched CVE SUMMARY: Unchecked NULL pointer usage in ExprResolveLhs in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file that triggers an xkb_intern_atom failure. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15861 LAYER: meta PACKAGE NAME: libxkbcommon PACKAGE VERSION: 1.6.0 CVE: CVE-2018-15862 CVE STATUS: Patched CVE SUMMARY: Unchecked NULL pointer usage in LookupModMask in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file with invalid virtual modifiers. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15862 LAYER: meta PACKAGE NAME: libxkbcommon PACKAGE VERSION: 1.6.0 CVE: CVE-2018-15863 CVE STATUS: Patched CVE SUMMARY: Unchecked NULL pointer usage in ResolveStateAndPredicate in xkbcomp/compat.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file with a no-op modmask expression. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15863 LAYER: meta PACKAGE NAME: libxkbcommon PACKAGE VERSION: 1.6.0 CVE: CVE-2018-15864 CVE STATUS: Patched CVE SUMMARY: Unchecked NULL pointer usage in resolve_keysym in xkbcomp/parser.y in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because a map access attempt can occur for a map that was never created. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15864 LAYER: meta PACKAGE NAME: minicom PACKAGE VERSION: 2.9 CVE: CVE-2000-0698 CVE STATUS: Patched CVE SUMMARY: Minicom 1.82.1 and earlier on some Linux systems allows local users to create arbitrary files owned by the uucp user via a symlink attack. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0698 LAYER: meta PACKAGE NAME: minicom PACKAGE VERSION: 2.9 CVE: CVE-2001-0570 CVE STATUS: Patched CVE SUMMARY: minicom 1.83.1 and earlier allows a local attacker to gain additional privileges via numerous format string attacks. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0570 LAYER: meta PACKAGE NAME: minicom PACKAGE VERSION: 2.9 CVE: CVE-2017-7467 CVE STATUS: Patched CVE SUMMARY: A buffer overflow flaw was found in the way minicom before version 2.7.1 handled VT100 escape sequences. A malicious terminal device could potentially use this flaw to crash minicom, or execute arbitrary code in the context of the minicom process. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7467 LAYER: meta-oe PACKAGE NAME: htop PACKAGE VERSION: 3.3.0 CVE: CVE-2008-5076 CVE STATUS: Patched CVE SUMMARY: htop 0.7 writes process names to a terminal without sanitizing non-printable characters, which might allow local users to hide processes, modify arbitrary files, or have unspecified other impact via a process name with "crazy control strings." CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5076 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2007-4974 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the flac_buffer_copy function in libsndfile 1.0.17 and earlier might allow remote attackers to execute arbitrary code via a FLAC file with crafted PCM data containing a block with a size that exceeds the previous block size. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4974 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2009-0186 CVE STATUS: Patched CVE SUMMARY: Integer overflow in libsndfile 1.0.18, as used in Winamp and other products, allows context-dependent attackers to execute arbitrary code via crafted description chunks in a CAF audio file, leading to a heap-based buffer overflow. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0186 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2009-1788 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in voc_read_header in libsndfile 1.0.15 through 1.0.19, as used in Winamp 5.552 and possibly other media programs, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a VOC file with an invalid header value. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1788 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2009-1791 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in aiff_read_header in libsndfile 1.0.15 through 1.0.19, as used in Winamp 5.552 and possibly other media programs, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an AIFF file with an invalid header value. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1791 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2009-4835 CVE STATUS: Patched CVE SUMMARY: The (1) htk_read_header, (2) alaw_init, (3) ulaw_init, (4) pcm_init, (5) float32_init, and (6) sds_read_header functions in libsndfile 1.0.20 allow context-dependent attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted audio file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4835 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2011-2696 CVE STATUS: Patched CVE SUMMARY: Integer overflow in libsndfile before 1.0.25 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PARIS Audio Format (PAF) file that triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2696 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2014-9496 CVE STATUS: Patched CVE SUMMARY: The sd2_parse_rsrc_fork function in sd2.c in libsndfile allows attackers to have unspecified impact via vectors related to a (1) map offset or (2) rsrc marker, which triggers an out-of-bounds read. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9496 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2014-9756 CVE STATUS: Patched CVE SUMMARY: The psf_fwrite function in file_io.c in libsndfile allows attackers to cause a denial of service (divide-by-zero error and application crash) via unspecified vectors related to the headindex variable. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9756 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2015-7805 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in libsndfile 1.0.25 allows remote attackers to have unspecified impact via the headindex value in the header in an AIFF file. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7805 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2017-12562 CVE STATUS: Patched CVE SUMMARY: Heap-based Buffer Overflow in the psf_binheader_writef function in common.c in libsndfile through 1.0.28 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12562 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2017-14245 CVE STATUS: Patched CVE SUMMARY: An out of bounds read in the function d2alaw_array() in alaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14245 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2017-14246 CVE STATUS: Patched CVE SUMMARY: An out of bounds read in the function d2ulaw_array() in ulaw.c of libsndfile 1.0.28 may lead to a remote DoS attack or information disclosure, related to mishandling of the NAN and INFINITY floating-point values. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14246 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2017-14634 CVE STATUS: Patched CVE SUMMARY: In libsndfile 1.0.28, a divide-by-zero error exists in the function double64_init() in double64.c, which may lead to DoS when playing a crafted audio file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14634 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2017-16942 CVE STATUS: Patched CVE SUMMARY: In libsndfile 1.0.25 (fixed in 1.0.26), a divide-by-zero error exists in the function wav_w64_read_fmt_chunk() in wav_w64.c, which may lead to DoS when playing a crafted audio file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16942 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2017-6892 CVE STATUS: Patched CVE SUMMARY: In libsndfile version 1.0.28, an error in the "aiff_read_chanmap()" function (aiff.c) can be exploited to cause an out-of-bounds read memory access via a specially crafted AIFF file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6892 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2017-7585 CVE STATUS: Patched CVE SUMMARY: In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7585 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2017-7586 CVE STATUS: Patched CVE SUMMARY: In libsndfile before 1.0.28, an error in the "header_read()" function (common.c) when handling ID3 tags can be exploited to cause a stack-based buffer overflow via a specially crafted FLAC file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7586 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2017-7741 CVE STATUS: Patched CVE SUMMARY: In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a segmentation violation (with write memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7741 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2017-7742 CVE STATUS: Patched CVE SUMMARY: In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" function (flac.c) can be exploited to cause a segmentation violation (with read memory access) via a specially crafted FLAC file during a resample attempt, a similar issue to CVE-2017-7585. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7742 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2017-8361 CVE STATUS: Patched CVE SUMMARY: The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8361 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2017-8362 CVE STATUS: Patched CVE SUMMARY: The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted audio file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8362 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2017-8363 CVE STATUS: Patched CVE SUMMARY: The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted audio file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8363 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2017-8365 CVE STATUS: Patched CVE SUMMARY: The i2les_array function in pcm.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8365 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2018-13139 CVE STATUS: Patched CVE SUMMARY: A stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted audio file. The vulnerability can be triggered by the executable sndfile-deinterleave. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13139 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2018-13419 CVE STATUS: Patched CVE SUMMARY: An issue has been found in libsndfile 1.0.28. There is a memory leak in psf_allocate in common.c, as demonstrated by sndfile-convert. NOTE: The maintainer and third parties were unable to reproduce and closed the issue CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13419 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2018-19432 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in libsndfile 1.0.28. There is a NULL pointer dereference in the function sf_write_int in sndfile.c, which will lead to a denial of service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19432 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2018-19661 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in libsndfile 1.0.28. There is a buffer over-read in the function i2ulaw_array in ulaw.c that will lead to a denial of service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19661 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2018-19662 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in libsndfile 1.0.28. There is a buffer over-read in the function i2alaw_array in alaw.c that will lead to a denial of service. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19662 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2018-19758 CVE STATUS: Patched CVE SUMMARY: There is a heap-based buffer over-read at wav.c in wav_write_header in libsndfile 1.0.28 that will cause a denial of service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19758 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2019-3832 CVE STATUS: Patched CVE SUMMARY: It was discovered the fix for CVE-2018-19758 (libsndfile) was not complete and still allows a read beyond the limits of a buffer in wav_write_header() function in wav.c. A local attacker may use this flaw to make the application crash. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3832 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2021-3246 CVE STATUS: Patched CVE SUMMARY: A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted WAV file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3246 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2021-4156 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality. An attacker who is able to submit a specially crafted file (via tricking a user to open or otherwise) to an application linked with libsndfile and using the FLAC codec, could trigger an out-of-bounds read that would most likely cause a crash but could potentially leak memory information that could be used in further exploitation of other flaws. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4156 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2022-33064 CVE STATUS: Patched CVE SUMMARY: An off-by-one error in function wav_read_header in src/wav.c in Libsndfile 1.1.0, results in a write out of bound, which allows an attacker to execute arbitrary code, Denial of Service or other unspecified impacts. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33064 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2022-33065 CVE STATUS: Patched CVE SUMMARY: Multiple signed integers overflow in function au_read_header in src/au.c and in functions mat4_open and mat4_read_header in src/mat4.c in Libsndfile, allows an attacker to cause Denial of Service or other unspecified impacts. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-33065 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2024-50612 CVE STATUS: Patched CVE SUMMARY: libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out-of-bounds read. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50612 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2024-50613 CVE STATUS: Unpatched CVE SUMMARY: libsndfile through 1.2.2 has a reachable assertion, that may lead to application exit, in mpeg_l3_encode.c mpeg_l3_encoder_close. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50613 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2025-52194 CVE STATUS: Unpatched CVE SUMMARY: A buffer overflow vulnerability exists in libsndfile version 1.2.2 and potentially earlier versions when processing malformed IRCAM audio files. The vulnerability occurs in the ircam_read_header function at src/ircam.c:164 during sample rate processing, leading to memory corruption and potential code execution. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-52194 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2025-56226 CVE STATUS: Unpatched CVE SUMMARY: Libsndfile <=1.2.2 contains a memory leak vulnerability in the mpeg_l3_encoder_init() function within the mpeg_l3_encode.c file. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-56226 LAYER: meta PACKAGE NAME: libsndfile1 PACKAGE VERSION: 1.2.2 CVE: CVE-2026-37555 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-37555 LAYER: meta PACKAGE NAME: quota PACKAGE VERSION: 4.09 CVE: CVE-2012-3417 CVE STATUS: Patched CVE SUMMARY: The good_client function in rquotad (rquota_svc.c) in Linux DiskQuota (aka quota) before 3.17 invokes the hosts_ctl function the first time without a host name, which might allow remote attackers to bypass TCP Wrappers rules in hosts.deny. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3417 LAYER: meta PACKAGE NAME: m4 PACKAGE VERSION: 1.4.19 CVE: CVE-2008-1687 CVE STATUS: Patched CVE SUMMARY: The (1) maketemp and (2) mkstemp builtin functions in GNU m4 before 1.4.11 do not quote their output when a file is created, which might allow context-dependent attackers to trigger a macro expansion, leading to unspecified use of an incorrect filename. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1687 LAYER: meta PACKAGE NAME: m4 PACKAGE VERSION: 1.4.19 CVE: CVE-2008-1688 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in GNU m4 before 1.4.11 might allow context-dependent attackers to execute arbitrary code, related to improper handling of filenames specified with the -F option. NOTE: it is not clear when this issue crosses privilege boundaries. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1688 LAYER: meta PACKAGE NAME: gtk+3 PACKAGE VERSION: 3.24.41 CVE: CVE-2001-0084 CVE STATUS: Patched CVE SUMMARY: GTK+ library allows local users to specify arbitrary modules via the GTK_MODULES environmental variable, which could allow local users to gain privileges if GTK+ is used by a setuid/setgid program. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0084 LAYER: meta PACKAGE NAME: gtk+3 PACKAGE VERSION: 3.24.41 CVE: CVE-2004-0753 CVE STATUS: Patched CVE SUMMARY: The BMP image processor for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted BMP file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0753 LAYER: meta PACKAGE NAME: gtk+3 PACKAGE VERSION: 3.24.41 CVE: CVE-2004-0782 CVE STATUS: Patched CVE SUMMARY: Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0687). CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0782 LAYER: meta PACKAGE NAME: gtk+3 PACKAGE VERSION: 3.24.41 CVE: CVE-2004-0783 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in xpm_extract_color (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, may allow remote attackers to execute arbitrary code via a certain color string. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0688). CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0783 LAYER: meta PACKAGE NAME: gtk+3 PACKAGE VERSION: 3.24.41 CVE: CVE-2004-0788 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the ICO image decoder for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted ICO file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0788 LAYER: meta PACKAGE NAME: gtk+3 PACKAGE VERSION: 3.24.41 CVE: CVE-2005-0372 CVE STATUS: Patched CVE SUMMARY: Directory traversal vulnerability in gftp before 2.0.18 for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0372 LAYER: meta PACKAGE NAME: gtk+3 PACKAGE VERSION: 3.24.41 CVE: CVE-2005-0891 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in gtk 2 (gtk2) before 2.2.4 allows remote attackers to cause a denial of service (crash) via a crafted BMP image. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0891 LAYER: meta PACKAGE NAME: gtk+3 PACKAGE VERSION: 3.24.41 CVE: CVE-2005-2975 CVE STATUS: Patched CVE SUMMARY: io-xpm.c in the gdk-pixbuf XPM image rendering library in GTK+ before 2.8.7 allows attackers to cause a denial of service (infinite loop) via a crafted XPM image with a large number of colors. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2975 LAYER: meta PACKAGE NAME: gtk+3 PACKAGE VERSION: 3.24.41 CVE: CVE-2005-2976 CVE STATUS: Patched CVE SUMMARY: Integer overflow in io-xpm.c in gdk-pixbuf 0.22.0 in GTK+ before 2.8.7 allows attackers to cause a denial of service (crash) or execute arbitrary code via an XPM file with large height, width, and colour values, a different vulnerability than CVE-2005-3186. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2976 LAYER: meta PACKAGE NAME: gtk+3 PACKAGE VERSION: 3.24.41 CVE: CVE-2007-0010 CVE STATUS: Patched CVE SUMMARY: The GdkPixbufLoader function in GIMP ToolKit (GTK+) in GTK 2 (gtk2) before 2.4.13 allows context-dependent attackers to cause a denial of service (crash) via a malformed image file. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0010 LAYER: meta PACKAGE NAME: gtk+3 PACKAGE VERSION: 3.24.41 CVE: CVE-2010-0732 CVE STATUS: Patched CVE SUMMARY: gdk/gdkwindow.c in GTK+ before 2.18.5, as used in gnome-screensaver before 2.28.1, performs implicit paints on windows of type GDK_WINDOW_FOREIGN, which triggers an X error in certain circumstances and consequently allows physically proximate attackers to bypass screen locking and access an unattended workstation by pressing the Enter key many times. CVSS v2 BASE SCORE: 6.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0732 LAYER: meta PACKAGE NAME: gtk+3 PACKAGE VERSION: 3.24.41 CVE: CVE-2010-4831 CVE STATUS: Patched CVE SUMMARY: Untrusted search path vulnerability in gdk/win32/gdkinput-win32.c in GTK+ before 2.21.8 allows local users to gain privileges via a Trojan horse Wintab32.dll file in the current working directory. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4831 LAYER: meta PACKAGE NAME: gtk+3 PACKAGE VERSION: 3.24.41 CVE: CVE-2010-4833 CVE STATUS: Patched CVE SUMMARY: Untrusted search path vulnerability in modules/engines/ms-windows/xp_theme.c in GTK+ before 2.24.0 allows local users to gain privileges via a Trojan horse uxtheme.dll file in the current working directory, a different vulnerability than CVE-2010-4831. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4833 LAYER: meta PACKAGE NAME: gtk+3 PACKAGE VERSION: 3.24.41 CVE: CVE-2012-0828 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in Xchat-WDK before 1499-4 (2012-01-18) xchat 2.8.6 on Maemo architecture could allow remote attackers to cause a denial of service (xchat client crash) or execute arbitrary code via a UTF-8 line from server containing characters outside of the Basic Multilingual Plane (BMP). CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0828 LAYER: meta PACKAGE NAME: gtk+3 PACKAGE VERSION: 3.24.41 CVE: CVE-2014-1949 CVE STATUS: Patched CVE SUMMARY: GTK+ 3.10.9 and earlier, as used in cinnamon-screensaver, gnome-screensaver, and other applications, allows physically proximate attackers to bypass the lock screen by pressing the menu button. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1949 LAYER: meta PACKAGE NAME: cpio PACKAGE VERSION: 2.15 CVE: CVE-2005-1111 CVE STATUS: Patched CVE SUMMARY: Race condition in cpio 2.6 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete. CVSS v2 BASE SCORE: 3.7 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1111 LAYER: meta PACKAGE NAME: cpio PACKAGE VERSION: 2.15 CVE: CVE-2005-1229 CVE STATUS: Patched CVE SUMMARY: Directory traversal vulnerability in cpio 2.6 and earlier allows remote attackers to write to arbitrary directories via a .. (dot dot) in a cpio file. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1229 LAYER: meta PACKAGE NAME: cpio PACKAGE VERSION: 2.15 CVE: CVE-2005-4268 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in cpio 2.6-8.FC4 on 64-bit platforms, when creating a cpio archive, allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a file whose size is represented by more than 8 digits. CVSS v2 BASE SCORE: 3.7 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4268 LAYER: meta PACKAGE NAME: cpio PACKAGE VERSION: 2.15 CVE: CVE-2010-0624 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0624 LAYER: meta PACKAGE NAME: cpio PACKAGE VERSION: 2.15 CVE: CVE-2010-4226 CVE STATUS: Ignored CVE DETAIL: not-applicable-platform CVE DESCRIPTION: Issue applies to use of cpio in SUSE/OBS CVE SUMMARY: cpio, as used in build 2007.05.10, 2010.07.28, and possibly other versions, allows remote attackers to overwrite arbitrary files via a symlink within an RPM package archive. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.2 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4226 LAYER: meta PACKAGE NAME: cpio PACKAGE VERSION: 2.15 CVE: CVE-2014-9112 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the process_copy_in function in GNU Cpio 2.11 allows remote attackers to cause a denial of service via a large block value in a cpio archive. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9112 LAYER: meta PACKAGE NAME: cpio PACKAGE VERSION: 2.15 CVE: CVE-2015-1197 CVE STATUS: Patched CVE SUMMARY: cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1197 LAYER: meta PACKAGE NAME: cpio PACKAGE VERSION: 2.15 CVE: CVE-2016-2037 CVE STATUS: Patched CVE SUMMARY: The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2037 LAYER: meta PACKAGE NAME: cpio PACKAGE VERSION: 2.15 CVE: CVE-2019-14866 CVE STATUS: Patched CVE SUMMARY: In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14866 LAYER: meta PACKAGE NAME: cpio PACKAGE VERSION: 2.15 CVE: CVE-2021-38185 CVE STATUS: Patched CVE SUMMARY: GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38185 LAYER: meta PACKAGE NAME: cpio PACKAGE VERSION: 2.15 CVE: CVE-2023-7207 CVE STATUS: Patched CVE SUMMARY: Debian's cpio contains a path traversal vulnerability. This issue was introduced by reverting CVE-2015-1197 patches which had caused a regression in --no-absolute-filenames. Upstream has since provided a proper fix to --no-absolute-filenames. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-7207 LAYER: meta PACKAGE NAME: cpio PACKAGE VERSION: 2.15 CVE: CVE-2023-7216 CVE STATUS: Ignored CVE DETAIL: disputed CVE DESCRIPTION: intended behaviour, see https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html CVE SUMMARY: A path traversal vulnerability was found in the CPIO utility. This issue could allow a remote unauthenticated attacker to trick a user into opening a specially crafted archive. During the extraction process, the archiver could follow symlinks outside of the intended directory, which allows files to be written in arbitrary directories through symlinks. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-7216 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2004-0691 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0691 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2004-0692 CVE STATUS: Patched CVE SUMMARY: The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0692 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2004-0693 CVE STATUS: Patched CVE SUMMARY: The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0693 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2005-0627 CVE STATUS: Patched CVE SUMMARY: Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0627 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2006-4811 CVE STATUS: Patched CVE SUMMARY: Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4811 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2007-0242 CVE STATUS: Patched CVE SUMMARY: The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0242 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2007-3388 CVE STATUS: Patched CVE SUMMARY: Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3388 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2007-4137 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4137 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2009-2700 CVE STATUS: Patched CVE SUMMARY: src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2700 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2010-1766 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1766 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2010-2621 CVE STATUS: Patched CVE SUMMARY: The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2621 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2010-5076 CVE STATUS: Patched CVE SUMMARY: QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5076 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2011-3193 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2011-3194 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3194 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2012-5624 CVE STATUS: Patched CVE SUMMARY: The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5624 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2012-6093 CVE STATUS: Patched CVE SUMMARY: The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6093 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2013-0254 CVE STATUS: Patched CVE SUMMARY: The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0254 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2013-4549 CVE STATUS: Patched CVE SUMMARY: QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4549 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2014-0190 CVE STATUS: Patched CVE SUMMARY: The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0190 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-0295 CVE STATUS: Patched CVE SUMMARY: The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0295 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-1290 CVE STATUS: Patched CVE SUMMARY: The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1290 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-1858 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1858 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-1859 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1859 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-1860 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1860 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-7298 CVE STATUS: Patched CVE SUMMARY: ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7298 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-9541 CVE STATUS: Patched CVE SUMMARY: Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9541 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2017-10904 CVE STATUS: Patched CVE SUMMARY: Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10904 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2017-10905 CVE STATUS: Patched CVE SUMMARY: A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10905 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2017-15011 CVE STATUS: Patched CVE SUMMARY: The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15011 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-15518 CVE STATUS: Patched CVE SUMMARY: QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15518 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19865 CVE STATUS: Patched CVE SUMMARY: A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19865 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19869 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19869 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19870 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19870 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19871 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19871 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19872 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19872 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19873 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19873 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-21035 CVE STATUS: Patched CVE SUMMARY: In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21035 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-0569 CVE STATUS: Patched CVE SUMMARY: Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 5.7 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0569 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-0570 CVE STATUS: Patched CVE SUMMARY: Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0570 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-12267 CVE STATUS: Patched CVE SUMMARY: setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12267 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-13962 CVE STATUS: Patched CVE SUMMARY: Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.) CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13962 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-17507 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17507 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-24742 CVE STATUS: Patched CVE SUMMARY: An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24742 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2021-28025 CVE STATUS: Patched CVE SUMMARY: Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28025 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2021-3481 CVE STATUS: Patched CVE SUMMARY: A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3481 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2021-38593 CVE STATUS: Patched CVE SUMMARY: Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38593 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2022-25255 CVE STATUS: Patched CVE SUMMARY: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25255 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2022-25634 CVE STATUS: Patched CVE SUMMARY: Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25634 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2022-40983 CVE STATUS: Patched CVE SUMMARY: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40983 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2022-43591 CVE STATUS: Patched CVE SUMMARY: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43591 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-24607 CVE STATUS: Patched CVE SUMMARY: Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24607 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32573 CVE STATUS: Unpatched CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32573 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32762 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32762 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32763 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32763 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-33285 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33285 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-34410 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34410 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-37369 CVE STATUS: Unpatched CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37369 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-38197 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38197 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-43114 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43114 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-51714 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51714 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-25580 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-25580 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-30161 CVE STATUS: Patched CVE SUMMARY: In Qt 6.5.4, 6.5.5, and 6.6.2, QNetworkReply header data might be accessed via a dangling pointer in Qt for WebAssembly (wasm). (Earlier and later versions are unaffected.) CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-30161 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-36048 CVE STATUS: Unpatched CVE SUMMARY: QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36048 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-39936 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed.. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39936 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2025-30348 CVE STATUS: Unpatched CVE SUMMARY: encodeText in QDom in Qt before 6.8.0 has a complex algorithm involving XML string copy and inline replacement of parts of a string (with relocation of later data). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-30348 LAYER: meta-qt5 PACKAGE NAME: qtquickcontrols PACKAGE VERSION: 5.15.13+git CVE: CVE-2025-5683 CVE STATUS: Patched CVE SUMMARY: When loading a specifically crafted ICNS format image file in QImage then it will trigger a crash. This issue affects Qt from versions 6.3.0 through 6.5.9, from 6.6.0 through 6.8.4, 6.9.0. This is fixed in 6.5.10, 6.8.5 and 6.9.1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 5.1 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-5683 LAYER: meta PACKAGE NAME: socat PACKAGE VERSION: 1.8.0.0 CVE: CVE-2004-1484 CVE STATUS: Patched CVE SUMMARY: Format string vulnerability in the _msg function in error.c in socat 1.4.0.3 and earlier, when used as an HTTP proxy client and run with the -ly option, allows remote attackers or local users to execute arbitrary code via format string specifiers in a syslog message. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1484 LAYER: meta PACKAGE NAME: socat PACKAGE VERSION: 1.8.0.0 CVE: CVE-2010-2799 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the nestlex function in nestlex.c in Socat 1.5.0.0 through 1.7.1.2 and 2.0.0-b1 through 2.0.0-b3, when bidirectional data relay is enabled, allows context-dependent attackers to execute arbitrary code via long command-line arguments. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2799 LAYER: meta PACKAGE NAME: socat PACKAGE VERSION: 1.8.0.0 CVE: CVE-2012-0219 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the xioscan_readline function in xio-readline.c in socat 1.4.0.0 through 1.7.2.0 and 2.0.0-b1 through 2.0.0-b4 allows local users to execute arbitrary code via the READLINE address. CVSS v2 BASE SCORE: 6.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0219 LAYER: meta PACKAGE NAME: socat PACKAGE VERSION: 1.8.0.0 CVE: CVE-2013-3571 CVE STATUS: Patched CVE SUMMARY: socat 1.2.0.0 before 1.7.2.2 and 2.0.0-b1 before 2.0.0-b6, when used for a listen type address and the fork option is enabled, allows remote attackers to cause a denial of service (file descriptor consumption) via multiple request that are refused based on the (1) sourceport, (2) lowport, (3) range, or (4) tcpwrap restrictions. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3571 LAYER: meta PACKAGE NAME: socat PACKAGE VERSION: 1.8.0.0 CVE: CVE-2014-0019 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in socat 1.3.0.0 through 1.7.2.2 and 2.0.0-b1 through 2.0.0-b6 allows local users to cause a denial of service (segmentation fault) via a long server name in the PROXY-CONNECT address in the command line. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0019 LAYER: meta PACKAGE NAME: socat PACKAGE VERSION: 1.8.0.0 CVE: CVE-2015-1379 CVE STATUS: Patched CVE SUMMARY: The signal handler implementations in socat before 1.7.3.0 and 2.0.0-b8 allow remote attackers to cause a denial of service (process freeze or crash). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1379 LAYER: meta PACKAGE NAME: socat PACKAGE VERSION: 1.8.0.0 CVE: CVE-2016-2217 CVE STATUS: Patched CVE SUMMARY: The OpenSSL address implementation in Socat 1.7.3.0 and 2.0.0-b8 does not use a prime number for the DH, which makes it easier for remote attackers to obtain the shared secret. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2217 LAYER: meta PACKAGE NAME: socat PACKAGE VERSION: 1.8.0.0 CVE: CVE-2024-54661 CVE STATUS: Patched CVE SUMMARY: readline.sh in socat before1.8.0.2 relies on the /tmp/$USER/stderr2 file. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-54661 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2008-2935 CVE STATUS: Patched CVE SUMMARY: Multiple heap-based buffer overflows in the rc4 (1) encryption (aka exsltCryptoRc4EncryptFunction) and (2) decryption (aka exsltCryptoRc4DecryptFunction) functions in crypto.c in libexslt in libxslt 1.1.8 through 1.1.24 allow context-dependent attackers to execute arbitrary code via an XML file containing a long string as "an argument in the XSL input." CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2935 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2011-1202 CVE STATUS: Patched CVE SUMMARY: The xsltGenerateIdFunction function in functions.c in libxslt 1.1.26 and earlier, as used in Google Chrome before 10.0.648.127 and other products, allows remote attackers to obtain potentially sensitive information about heap memory addresses via an XML document containing a call to the XSLT generate-id XPath function. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1202 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2011-3970 CVE STATUS: Patched CVE SUMMARY: libxslt, as used in Google Chrome before 17.0.963.46, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3970 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2012-2870 CVE STATUS: Patched CVE SUMMARY: libxslt 1.1.26 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly manage memory, which might allow remote attackers to cause a denial of service (application crash) via a crafted XSLT expression that is not properly identified during XPath navigation, related to (1) the xsltCompileLocationPathPattern function in libxslt/pattern.c and (2) the xsltGenerateIdFunction function in libxslt/functions.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2870 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2012-6139 CVE STATUS: Patched CVE SUMMARY: libxslt before 1.1.28 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an (1) empty match attribute in a XSL key to the xsltAddKey function in keys.c or (2) uninitialized variable to the xsltDocumentFunction function in functions.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6139 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2013-4520 CVE STATUS: Patched CVE SUMMARY: xslt.c in libxslt before 1.1.25 allows context-dependent attackers to cause a denial of service (crash) via a stylesheet that embeds a DTD, which causes a structure to be accessed as a different type. NOTE: this issue is due to an incomplete fix for CVE-2012-2825. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4520 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2015-7995 CVE STATUS: Patched CVE SUMMARY: The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not check if the parent node is an element, which allows attackers to cause a denial of service via a crafted XML file, related to a "type confusion" issue. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7995 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2015-9019 CVE STATUS: Patched CVE SUMMARY: In libxslt 1.1.29 and earlier, the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9019 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2016-1683 CVE STATUS: Patched CVE SUMMARY: numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles namespace nodes, which allows remote attackers to cause a denial of service (out-of-bounds heap memory access) or possibly have unspecified other impact via a crafted document. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1683 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2016-1684 CVE STATUS: Patched CVE SUMMARY: numbers.c in libxslt before 1.1.29, as used in Google Chrome before 51.0.2704.63, mishandles the i format token for xsl:number data, which allows remote attackers to cause a denial of service (integer overflow or resource consumption) or possibly have unspecified other impact via a crafted document. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1684 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2016-4607 CVE STATUS: Patched CVE SUMMARY: libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4608, CVE-2016-4609, CVE-2016-4610, and CVE-2016-4612. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4607 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2016-4608 CVE STATUS: Patched CVE SUMMARY: libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-4609, CVE-2016-4610, and CVE-2016-4612. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4608 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2016-4609 CVE STATUS: Patched CVE SUMMARY: libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-4608, CVE-2016-4610, and CVE-2016-4612. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4609 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2016-4610 CVE STATUS: Patched CVE SUMMARY: libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-4608, CVE-2016-4609, and CVE-2016-4612. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4610 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2017-5029 CVE STATUS: Patched CVE SUMMARY: The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5029 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2019-11068 CVE STATUS: Patched CVE SUMMARY: libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11068 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2019-13117 CVE STATUS: Patched CVE SUMMARY: In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13117 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2019-13118 CVE STATUS: Patched CVE SUMMARY: In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13118 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2019-18197 CVE STATUS: Patched CVE SUMMARY: In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18197 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2019-5815 CVE STATUS: Patched CVE SUMMARY: Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5815 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2021-30560 CVE STATUS: Patched CVE SUMMARY: Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-30560 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2022-29824 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: Static linking to libxml2 is not enabled. CVE SUMMARY: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29824 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2024-55549 CVE STATUS: Patched CVE SUMMARY: xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-55549 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2025-11731 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the exsltFuncResultComp() function of libxslt, which handles EXSLT elements during stylesheet parsing. Due to improper type handling, the function may treat an XML document node as a regular XML element node, resulting in a type confusion. This can cause unexpected memory reads and potential crashes. While difficult to exploit, the flaw could lead to application instability or denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-11731 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2025-24855 CVE STATUS: Patched CVE SUMMARY: numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-24855 LAYER: meta PACKAGE NAME: libxslt PACKAGE VERSION: 1.1.43 CVE: CVE-2025-7424 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the libxslt library. The same memory field, psvi, is used for both stylesheet and input data, which can lead to type confusion during XML transformations. This vulnerability allows an attacker to crash the application or corrupt memory. In some cases, it may lead to denial of service or unexpected behavior. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-7424 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2005-0366 CVE STATUS: Patched CVE SUMMARY: The integrity check feature in OpenPGP, when handling a message that was encrypted using cipher feedback (CFB) mode, allows remote attackers to recover part of the plaintext via a chosen-ciphertext attack when the first 2 bytes of a message block are known, and an oracle or other mechanism is available to determine whether an integrity check failed. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0366 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2006-3082 CVE STATUS: Patched CVE SUMMARY: parse-packet.c in GnuPG (gpg) 1.4.3 and 1.9.20, and earlier versions, allows remote attackers to cause a denial of service (gpg crash) and possibly overwrite memory via a message packet with a large length (long user ID string), which could lead to an integer overflow, as demonstrated using the --no-armor option. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3082 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2006-3746 CVE STATUS: Patched CVE SUMMARY: Integer overflow in parse_comment in GnuPG (gpg) 1.4.4 allows remote attackers to cause a denial of service (segmentation fault) via a crafted message. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3746 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2006-6169 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the ask_outfile_name function in openfile.c for GnuPG (gpg) 1.4 and 2.0, when running interactively, might allow attackers to execute arbitrary code via messages with "C-escape" expansions, which cause the make_printable_string function to return a longer string than expected while constructing a prompt. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6169 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2007-1263 CVE STATUS: Patched CVE SUMMARY: GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1263 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2008-1530 CVE STATUS: Patched CVE SUMMARY: GnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted duplicate keys that are imported from key servers, which triggers "memory corruption around deduplication of user IDs." CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1530 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2010-2547 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in kbx/keybox-blob.c in GPGSM in GnuPG 2.x through 2.0.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a certificate with a large number of Subject Alternate Names, which is not properly handled in a realloc operation when importing the certificate or verifying its signature. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2547 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2011-2207 CVE STATUS: Patched CVE SUMMARY: dirmngr before 2.1.0 improperly handles certain system calls, which allows remote attackers to cause a denial of service (DOS) via a specially-crafted certificate. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2207 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2012-6085 CVE STATUS: Patched CVE SUMMARY: The read_block function in g10/import.c in GnuPG 1.4.x before 1.4.13 and 2.0.x through 2.0.19, when importing a key, allows remote attackers to corrupt the public keyring database or cause a denial of service (application crash) via a crafted length field of an OpenPGP packet. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6085 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2013-4242 CVE STATUS: Patched CVE SUMMARY: GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4242 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2013-4351 CVE STATUS: Patched CVE SUMMARY: GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4351 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2013-4402 CVE STATUS: Patched CVE SUMMARY: The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4402 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2013-4576 CVE STATUS: Patched CVE SUMMARY: GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4576 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2014-3591 CVE STATUS: Patched CVE SUMMARY: Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 4.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3591 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2014-4617 CVE STATUS: Patched CVE SUMMARY: The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4617 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2014-9087 CVE STATUS: Patched CVE SUMMARY: Integer underflow in the ksba_oid_to_str function in Libksba before 1.3.2, as used in GnuPG, allows remote attackers to cause a denial of service (crash) via a crafted OID in a (1) S/MIME message or (2) ECC based OpenPGP data, which triggers a buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9087 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2015-0837 CVE STATUS: Patched CVE SUMMARY: The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a "Last-Level Cache Side-Channel Attack." CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0837 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2015-1606 CVE STATUS: Patched CVE SUMMARY: The keyring DB in GnuPG before 2.1.2 does not properly handle invalid packets, which allows remote attackers to cause a denial of service (invalid read and use-after-free) via a crafted keyring file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1606 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2015-1607 CVE STATUS: Patched CVE SUMMARY: kbx/keybox-search.c in GnuPG before 1.4.19, 2.0.x before 2.0.27, and 2.1.x before 2.1.2 does not properly handle bitwise left-shifts, which allows remote attackers to cause a denial of service (invalid read operation) via a crafted keyring file, related to sign extensions and "memcpy with overlapping ranges." CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1607 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2016-6313 CVE STATUS: Patched CVE SUMMARY: The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6313 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2018-1000858 CVE STATUS: Patched CVE SUMMARY: GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery (CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF, Information Disclosure, DoS. This attack appear to be exploitable via Victim must perform a WKD request, e.g. enter an email address in the composer window of Thunderbird/Enigmail. This vulnerability appears to have been fixed in after commit 4a4bb874f63741026bd26264c43bb32b1099f060. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000858 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2018-12020 CVE STATUS: Patched CVE SUMMARY: mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12020 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2018-9234 CVE STATUS: Patched CVE SUMMARY: GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9234 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2019-13050 CVE STATUS: Patched CVE SUMMARY: Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13050 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2019-14855 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14855 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2020-25125 CVE STATUS: Patched CVE SUMMARY: GnuPG 2.2.21 and 2.2.22 (and Gpg4win 3.1.12) has an array overflow, leading to a crash or possibly unspecified other impact, when a victim imports an attacker's OpenPGP key, and this key has AEAD preferences. The overflow is caused by a g10/key-check.c error. NOTE: GnuPG 2.3.x is unaffected. GnuPG 2.2.23 is a fixed version. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25125 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2022-3219 CVE STATUS: Ignored CVE DETAIL: upstream-wontfix CVE DESCRIPTION: Upstream doesn't seem to be keen on merging the proposed commit - https://dev.gnupg.org/T5993 CVE SUMMARY: GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3219 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2022-34903 CVE STATUS: Patched CVE SUMMARY: GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-34903 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2022-3515 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3515 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2025-30258 CVE STATUS: Patched CVE DETAIL: cpe-stable-backport CVE DESCRIPTION: fir for this CVE was backported to version 2.4.8 CVE SUMMARY: In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS." CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 2.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-30258 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2025-68972 CVE STATUS: Unpatched CVE SUMMARY: In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-68972 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2025-68973 CVE STATUS: Unpatched CVE SUMMARY: In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.) CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-68973 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2026-24881 CVE STATUS: Patched CVE SUMMARY: In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also memory corruption that could lead to remote code execution. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-24881 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2026-24882 CVE STATUS: Patched CVE SUMMARY: In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-24882 LAYER: meta PACKAGE NAME: gnupg PACKAGE VERSION: 2.4.8 CVE: CVE-2026-24883 CVE STATUS: Patched CVE SUMMARY: In GnuPG before 2.5.17, a long signature packet length causes parse_signature to return success with sig->data[] set to a NULL value, leading to a denial of service (application crash). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-24883 LAYER: meta PACKAGE NAME: libtasn1 PACKAGE VERSION: 4.20.0 CVE: CVE-2004-0401 CVE STATUS: Patched CVE SUMMARY: Unknown vulnerability in libtasn1 0.1.x before 0.1.2, and 0.2.x before 0.2.7, related to the DER parsing functions. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0401 LAYER: meta PACKAGE NAME: libtasn1 PACKAGE VERSION: 4.20.0 CVE: CVE-2006-0645 CVE STATUS: Patched CVE SUMMARY: Tiny ASN.1 Library (libtasn1) before 0.2.18, as used by (1) GnuTLS 1.2.x before 1.2.10 and 1.3.x before 1.3.4, and (2) GNU Shishi, allows attackers to crash the DER decoder and possibly execute arbitrary code via "out-of-bounds access" caused by invalid input, as demonstrated by the ProtoVer SSL test suite. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0645 LAYER: meta PACKAGE NAME: libtasn1 PACKAGE VERSION: 4.20.0 CVE: CVE-2012-1569 CVE STATUS: Patched CVE SUMMARY: The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1569 LAYER: meta PACKAGE NAME: libtasn1 PACKAGE VERSION: 4.20.0 CVE: CVE-2014-3467 CVE STATUS: Patched CVE SUMMARY: Multiple unspecified vulnerabilities in the DER decoder in GNU Libtasn1 before 3.6, as used in GnuTLS, allow remote attackers to cause a denial of service (out-of-bounds read) via crafted ASN.1 data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3467 LAYER: meta PACKAGE NAME: libtasn1 PACKAGE VERSION: 4.20.0 CVE: CVE-2014-3468 CVE STATUS: Patched CVE SUMMARY: The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly report an error when a negative bit length is identified, which allows context-dependent attackers to cause out-of-bounds access via crafted ASN.1 data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3468 LAYER: meta PACKAGE NAME: libtasn1 PACKAGE VERSION: 4.20.0 CVE: CVE-2014-3469 CVE STATUS: Patched CVE SUMMARY: The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU Libtasn1 before 3.6 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via a NULL value in an ivalue argument. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3469 LAYER: meta PACKAGE NAME: libtasn1 PACKAGE VERSION: 4.20.0 CVE: CVE-2015-2806 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4.4 allows remote attackers to have unspecified impact via unknown vectors. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2806 LAYER: meta PACKAGE NAME: libtasn1 PACKAGE VERSION: 4.20.0 CVE: CVE-2015-3622 CVE STATUS: Patched CVE SUMMARY: The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.5 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted certificate. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3622 LAYER: meta PACKAGE NAME: libtasn1 PACKAGE VERSION: 4.20.0 CVE: CVE-2016-4008 CVE STATUS: Patched CVE SUMMARY: The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.8, when used without the ASN1_DECODE_FLAG_STRICT_DER flag, allows remote attackers to cause a denial of service (infinite recursion) via a crafted certificate. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4008 LAYER: meta PACKAGE NAME: libtasn1 PACKAGE VERSION: 4.20.0 CVE: CVE-2017-10790 CVE STATUS: Patched CVE SUMMARY: The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10790 LAYER: meta PACKAGE NAME: libtasn1 PACKAGE VERSION: 4.20.0 CVE: CVE-2017-6891 CVE STATUS: Patched CVE SUMMARY: Two errors in the "asn1_find_node()" function (lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to cause a stacked-based buffer overflow by tricking a user into processing a specially crafted assignments file via the e.g. asn1Coding utility. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6891 LAYER: meta PACKAGE NAME: libtasn1 PACKAGE VERSION: 4.20.0 CVE: CVE-2018-1000654 CVE STATUS: Patched CVE SUMMARY: GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000654 LAYER: meta PACKAGE NAME: libtasn1 PACKAGE VERSION: 4.20.0 CVE: CVE-2018-6003 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the _asn1_decode_simple_ber function in decoding.c in GNU Libtasn1 before 4.13. Unlimited recursion in the BER decoder leads to stack exhaustion and DoS. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6003 LAYER: meta PACKAGE NAME: libtasn1 PACKAGE VERSION: 4.20.0 CVE: CVE-2021-46848 CVE STATUS: Patched CVE SUMMARY: GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46848 LAYER: meta PACKAGE NAME: libtasn1 PACKAGE VERSION: 4.20.0 CVE: CVE-2025-13151 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-13151 LAYER: meta PACKAGE NAME: automake PACKAGE VERSION: 1.16.5 CVE: CVE-2009-4029 CVE STATUS: Patched CVE SUMMARY: The (1) dist or (2) distcheck rules in GNU Automake 1.11.1, 1.10.3, and release branches branch-1-4 through branch-1-9, when producing a distribution tarball for a package that uses Automake, assign insecure permissions (777) to directories in the build tree, which introduces a race condition that allows local users to modify the contents of package files, introduce Trojan horse programs, or conduct other attacks before the build is complete. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4029 LAYER: meta PACKAGE NAME: automake PACKAGE VERSION: 1.16.5 CVE: CVE-2012-3386 CVE STATUS: Patched CVE SUMMARY: The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3386 LAYER: meta PACKAGE NAME: strace PACKAGE VERSION: 6.7 CVE: CVE-2000-0006 CVE STATUS: Ignored CVE DETAIL: upstream-wontfix CVE DESCRIPTION: CVE is more than 20 years old with no resolution evident. Broken links in CVE database references make resolution impractical. CVE SUMMARY: strace allows local users to read arbitrary files via memory mapped file names. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0006 LAYER: meta PACKAGE NAME: kbd PACKAGE VERSION: 2.6.4 CVE: CVE-2011-0460 CVE STATUS: Patched CVE SUMMARY: The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map. CVSS v2 BASE SCORE: 6.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0460 LAYER: meta-python PACKAGE NAME: python3-tornado PACKAGE VERSION: 6.4.2 CVE: CVE-2025-47287 CVE STATUS: Patched CVE SUMMARY: Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-47287 LAYER: meta-python PACKAGE NAME: python3-tornado PACKAGE VERSION: 6.4.2 CVE: CVE-2025-67724 CVE STATUS: Patched CVE SUMMARY: Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-67724 LAYER: meta-python PACKAGE NAME: python3-tornado PACKAGE VERSION: 6.4.2 CVE: CVE-2025-67725 CVE STATUS: Patched CVE SUMMARY: Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS). Due to Python string immutability, each concatenation copies the entire string, resulting in O(n²) time complexity. The severity can vary from high if max_header_size has been increased from its default, to low if it has its default value of 64KB. This issue is fixed in version 6.5.3. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-67725 LAYER: meta-python PACKAGE NAME: python3-tornado PACKAGE VERSION: 6.4.2 CVE: CVE-2025-67726 CVE STATUS: Patched CVE SUMMARY: Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server's CPU usage increases quadratically (O(n²)) during parsing. Due to Tornado's single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period. This issue is fixed in version 6.5.3. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-67726 LAYER: meta PACKAGE NAME: man-db PACKAGE VERSION: 2.12.0 CVE: CVE-2015-1336 CVE STATUS: Patched CVE SUMMARY: The daily mandb cleanup job in Man-db before 2.7.6.1-1 as packaged in Ubuntu and Debian allows local users with access to the man account to gain privileges via vectors involving insecure chown use. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1336 LAYER: meta PACKAGE NAME: man-db PACKAGE VERSION: 2.12.0 CVE: CVE-2018-25078 CVE STATUS: Patched CVE SUMMARY: man-db before 2.8.5 on Gentoo allows local users (with access to the man user account) to gain root privileges because /usr/bin/mandb is executed by root but not owned by root. (Also, the owner can strip the setuid and setgid bits.) CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-25078 LAYER: meta PACKAGE NAME: valgrind PACKAGE VERSION: 3.22.0 CVE: CVE-2008-4865 CVE STATUS: Patched CVE SUMMARY: Untrusted search path vulnerability in valgrind before 3.4.0 allows local users to execute arbitrary programs via a Trojan horse .valgrindrc file in the current working directory, as demonstrated using a malicious --db-command options. NOTE: the severity of this issue has been disputed, but CVE is including this issue because execution of a program from an untrusted directory is a common scenario. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4865 LAYER: meta PACKAGE NAME: valgrind PACKAGE VERSION: 3.22.0 CVE: CVE-2020-2245 CVE STATUS: Patched CVE SUMMARY: Jenkins Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. CVSS v2 BASE SCORE: 5.5 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-2245 LAYER: meta PACKAGE NAME: valgrind PACKAGE VERSION: 3.22.0 CVE: CVE-2020-2246 CVE STATUS: Patched CVE SUMMARY: Jenkins Valgrind Plugin 0.28 and earlier does not escape content in Valgrind XML reports, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Valgrind XML report contents. CVSS v2 BASE SCORE: 3.5 CVSS v3 BASE SCORE: 5.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-2246 LAYER: meta PACKAGE NAME: less PACKAGE VERSION: 643 CVE: CVE-2004-2264 CVE STATUS: Patched CVE SUMMARY: Format string bug in the open_altfile function in filename.c for GNU less 382, 381, and 358 might allow local users to cause a denial of service or possibly execute arbitrary code via format strings in the LESSOPEN environment variable. NOTE: since less is not setuid or setgid, then this is not a vulnerability unless there are plausible scenarios under which privilege boundaries could be crossed CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2264 LAYER: meta PACKAGE NAME: less PACKAGE VERSION: 643 CVE: CVE-2014-9488 CVE STATUS: Patched CVE SUMMARY: The is_utf8_well_formed function in GNU less before 475 allows remote attackers to have unspecified impact via malformed UTF-8 characters, which triggers an out-of-bounds read. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9488 LAYER: meta PACKAGE NAME: less PACKAGE VERSION: 643 CVE: CVE-2022-46663 CVE STATUS: Patched CVE SUMMARY: In GNU Less before 609, crafted data can result in "less -R" not filtering ANSI escape sequences sent to the terminal. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-46663 LAYER: meta PACKAGE NAME: less PACKAGE VERSION: 643 CVE: CVE-2022-48624 CVE STATUS: Patched CVE SUMMARY: close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48624 LAYER: meta PACKAGE NAME: less PACKAGE VERSION: 643 CVE: CVE-2024-32487 CVE STATUS: Patched CVE SUMMARY: less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32487 LAYER: meta PACKAGE NAME: xinetd PACKAGE VERSION: 2.3.15.4 CVE: CVE-2000-0536 CVE STATUS: Patched CVE SUMMARY: xinetd 2.1.8.x does not properly restrict connections if hostnames are used for access control and the connecting host does not have a reverse DNS entry. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0536 LAYER: meta PACKAGE NAME: xinetd PACKAGE VERSION: 2.3.15.4 CVE: CVE-2001-0825 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in internal string handling routines of xinetd before 2.1.8.8 allows remote attackers to execute arbitrary commands via a length argument of zero or less, which disables the length check. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0825 LAYER: meta PACKAGE NAME: xinetd PACKAGE VERSION: 2.3.15.4 CVE: CVE-2001-1322 CVE STATUS: Patched CVE SUMMARY: xinetd 2.1.8 and earlier runs with a default umask of 0, which could allow local users to read or modify files that are created by an application that runs under xinetd but does not set its own safe umask. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1322 LAYER: meta PACKAGE NAME: xinetd PACKAGE VERSION: 2.3.15.4 CVE: CVE-2001-1389 CVE STATUS: Patched CVE SUMMARY: Multiple vulnerabilities in xinetd 2.3.0 and earlier, and additional variants until 2.3.3, may allow remote attackers to cause a denial of service or execute arbitrary code, primarily via buffer overflows or improper NULL termination. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1389 LAYER: meta PACKAGE NAME: xinetd PACKAGE VERSION: 2.3.15.4 CVE: CVE-2002-0871 CVE STATUS: Patched CVE SUMMARY: xinetd 2.3.4 leaks file descriptors for the signal pipe to services that are launched by xinetd, which could allow those services to cause a denial of service via the pipe. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0871 LAYER: meta PACKAGE NAME: xinetd PACKAGE VERSION: 2.3.15.4 CVE: CVE-2003-0211 CVE STATUS: Patched CVE SUMMARY: Memory leak in xinetd 2.3.10 allows remote attackers to cause a denial of service (memory consumption) via a large number of rejected connections. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0211 LAYER: meta PACKAGE NAME: xinetd PACKAGE VERSION: 2.3.15.4 CVE: CVE-2012-0862 CVE STATUS: Patched CVE SUMMARY: builtins.c in Xinetd before 2.3.15 does not check the service type when the tcpmux-server service is enabled, which exposes all enabled services and allows remote attackers to bypass intended access restrictions via a request to tcpmux port 1. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0862 LAYER: meta PACKAGE NAME: xinetd PACKAGE VERSION: 2.3.15.4 CVE: CVE-2013-4342 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: Fixed directly in git tree revision CVE SUMMARY: xinetd does not enforce the user and group configuration directives for TCPMUX services, which causes these services to be run as root and makes it easier for remote attackers to gain privileges by leveraging another vulnerability in a service. CVSS v2 BASE SCORE: 7.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4342 LAYER: meta-networking PACKAGE NAME: netperf PACKAGE VERSION: 2.7.0+git CVE: CVE-2007-1444 CVE STATUS: Patched CVE SUMMARY: netserver in netperf 2.4.3 allows local users to overwrite arbitrary files via a symlink attack on /tmp/netperf.debug. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1444 LAYER: meta PACKAGE NAME: mpg123 PACKAGE VERSION: 1.32.10 CVE: CVE-2003-0577 CVE STATUS: Patched CVE SUMMARY: mpg123 0.59r allows remote attackers to cause a denial of service and possibly execute arbitrary code via an MP3 file with a zero bitrate, which creates a negative frame size. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0577 LAYER: meta PACKAGE NAME: mpg123 PACKAGE VERSION: 1.32.10 CVE: CVE-2003-0865 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in readstring of httpget.c for mpg123 0.59r and 0.59s allows remote attackers to execute arbitrary code via a long request. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0865 LAYER: meta PACKAGE NAME: mpg123 PACKAGE VERSION: 1.32.10 CVE: CVE-2004-0805 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in layer2.c in mpg123 0.59r and possibly mpg123 0.59s allows remote attackers to execute arbitrary code via a certain (1) mp3 or (2) mp2 file. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0805 LAYER: meta PACKAGE NAME: mpg123 PACKAGE VERSION: 1.32.10 CVE: CVE-2004-0982 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the getauthfromURL function in httpget.c in mpg123 pre0.59s and mpg123 0.59r could allow remote attackers or local users to execute arbitrary code via an mp3 file that contains a long string before the @ (at sign) in a URL. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0982 LAYER: meta PACKAGE NAME: mpg123 PACKAGE VERSION: 1.32.10 CVE: CVE-2004-0991 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in mpg123 before 0.59s-r9 allows remote attackers to execute arbitrary code via frame headers in MP2 or MP3 files. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0991 LAYER: meta PACKAGE NAME: mpg123 PACKAGE VERSION: 1.32.10 CVE: CVE-2004-1284 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the find_next_file function in playlist.c for mpg123 0.59r allows remote attackers to execute arbitrary code via a crafted MP3 playlist. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1284 LAYER: meta PACKAGE NAME: mpg123 PACKAGE VERSION: 1.32.10 CVE: CVE-2006-1655 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in mpg123 0.59r allow user-assisted attackers to trigger a segmentation fault and possibly have other impacts via a certain MP3 file, as demonstrated by mpg1DoS3. NOTE: this issue might be related to CVE-2004-0991, but it is not clear. CVSS v2 BASE SCORE: 6.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1655 LAYER: meta PACKAGE NAME: mpg123 PACKAGE VERSION: 1.32.10 CVE: CVE-2006-3355 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in httpdget.c in mpg123 before 0.59s-rll allows remote attackers to execute arbitrary code via a long URL, which is not properly terminated before being used with the strncpy function. NOTE: This appears to be the result of an incomplete patch for CVE-2004-0982. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3355 LAYER: meta PACKAGE NAME: mpg123 PACKAGE VERSION: 1.32.10 CVE: CVE-2007-0578 CVE STATUS: Patched CVE SUMMARY: The http_open function in httpget.c in mpg123 before 0.64 allows remote attackers to cause a denial of service (infinite loop) by closing the HTTP connection early. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0578 LAYER: meta PACKAGE NAME: mpg123 PACKAGE VERSION: 1.32.10 CVE: CVE-2007-4397 CVE STATUS: Patched CVE SUMMARY: Multiple CRLF injection vulnerabilities in (1) xmms-thing 1.0, (2) XMMS Remote Control Script 1.07, (3) Disrok 1.0, (4) a2x 0.0.1, (5) Another xmms-info script 1.0, (6) XChat-XMMS 0.8.1, and other unspecified scripts for XChat allow user-assisted remote attackers to execute arbitrary IRC commands via CRLF sequences in the name of the song in a .mp3 file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4397 LAYER: meta PACKAGE NAME: mpg123 PACKAGE VERSION: 1.32.10 CVE: CVE-2009-1301 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in the store_id3_text function in the ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause a denial of service (out-of-bounds memory access) and possibly execute arbitrary code via an ID3 tag with a negative encoding value. NOTE: some of these details are obtained from third party information. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1301 LAYER: meta PACKAGE NAME: mpg123 PACKAGE VERSION: 1.32.10 CVE: CVE-2014-9497 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in mpg123 before 1.18.0. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9497 LAYER: meta PACKAGE NAME: mpg123 PACKAGE VERSION: 1.32.10 CVE: CVE-2017-10683 CVE STATUS: Patched CVE SUMMARY: In mpg123 1.25.0, there is a heap-based buffer over-read in the convert_latin1 function in libmpg123/id3.c. A crafted input will lead to a remote denial of service attack. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10683 LAYER: meta PACKAGE NAME: mpg123 PACKAGE VERSION: 1.32.10 CVE: CVE-2017-11126 CVE STATUS: Patched CVE SUMMARY: The III_i_stereo function in libmpg123/layer3.c in mpg123 through 1.25.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file that is mishandled in the code for the "block_type != 2" case, a similar issue to CVE-2017-9870. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11126 LAYER: meta PACKAGE NAME: mpg123 PACKAGE VERSION: 1.32.10 CVE: CVE-2017-12797 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the INT123_parse_new_id3 function in the ID3 parser in mpg123 before 1.25.5 on 32-bit platforms allows remote attackers to cause a denial of service via a crafted file, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12797 LAYER: meta PACKAGE NAME: mpg123 PACKAGE VERSION: 1.32.10 CVE: CVE-2017-12839 CVE STATUS: Patched CVE SUMMARY: A heap-based buffer over-read in the getbits function in src/libmpg123/getbits.h in mpg123 through 1.25.5 allows remote attackers to cause a possible denial-of-service (out-of-bounds read) or possibly have unspecified other impact via a crafted mp3 file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12839 LAYER: meta PACKAGE NAME: mpg123 PACKAGE VERSION: 1.32.10 CVE: CVE-2017-9545 CVE STATUS: Patched CVE SUMMARY: The next_text function in src/libmpg123/id3.c in mpg123 1.24.0 allows remote attackers to cause a denial of service (buffer over-read) via a crafted mp3 file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9545 LAYER: meta PACKAGE NAME: dbus-glib PACKAGE VERSION: 0.112 CVE: CVE-2010-1172 CVE STATUS: Patched CVE SUMMARY: DBus-GLib 0.73 disregards the access flag of exported GObject properties, which allows local users to bypass intended access restrictions and possibly cause a denial of service by modifying properties, as demonstrated by properties of the (1) DeviceKit-Power, (2) NetworkManager, and (3) ModemManager services. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1172 LAYER: meta PACKAGE NAME: dbus-glib PACKAGE VERSION: 0.112 CVE: CVE-2013-0292 CVE STATUS: Patched CVE SUMMARY: The dbus_g_proxy_manager_filter function in dbus-gproxy in Dbus-glib before 0.100.1 does not properly verify the sender of NameOwnerChanged signals, which allows local users to gain privileges via a spoofed signal. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0292 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2005-4048 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the avcodec_default_get_buffer function (utils.c) in FFmpeg libavcodec 0.4.9-pre1 and earlier, as used in products such as (1) mplayer, (2) xine-lib, (3) Xmovie, and (4) GStreamer, allows remote attackers to execute arbitrary commands via small PNG images with palettes. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4048 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2006-4800 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in libavcodec in ffmpeg before 0.4.9_p20060530 allow remote attackers to cause a denial of service or possibly execute arbitrary code via multiple unspecified vectors in (1) dtsdec.c, (2) vorbis.c, (3) rm.c, (4) sierravmd.c, (5) smacker.c, (6) tta.c, (7) 4xm.c, (8) alac.c, (9) cook.c, (10) shorten.c, (11) smacker.c, (12) snow.c, and (13) tta.c. NOTE: it is likely that this is a different vulnerability than CVE-2005-4048 and CVE-2006-2802. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4800 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2008-3162 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the str_read_packet function in libavformat/psxstr.c in FFmpeg before r13993 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted STR file that interleaves audio and video sectors. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3162 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2008-4866 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in libavformat/utils.c in FFmpeg 0.4.9 before r14715, as used by MPlayer, allow context-dependent attackers to have an unknown impact via vectors related to execution of DTS generation code with a delay greater than MAX_REORDER_DELAY. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4866 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2008-4867 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in libavcodec/dca.c in FFmpeg 0.4.9 before r14917, as used by MPlayer, allows context-dependent attackers to have an unknown impact via vectors related to an incorrect DCA_MAX_FRAME_SIZE value. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4867 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2008-4868 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the avcodec_close function in libavcodec/utils.c in FFmpeg 0.4.9 before r14787, as used by MPlayer, has unknown impact and attack vectors, related to a free "on random pointers." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4868 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2008-4869 CVE STATUS: Patched CVE SUMMARY: FFmpeg 0.4.9, as used by MPlayer, allows context-dependent attackers to cause a denial of service (memory consumption) via unknown vectors, aka a "Tcp/udp memory leak." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4869 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2009-0385 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in the fourxm_read_header function in libavformat/4xm.c in FFmpeg before revision 16846 allows remote attackers to execute arbitrary code via a malformed 4X movie file with a large current_track value, which triggers a NULL pointer dereference. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0385 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2009-4631 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the VP3 decoder (vp3.c) in FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted VP3 file that triggers an out-of-bounds read and possibly memory corruption. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4631 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2009-4632 CVE STATUS: Patched CVE SUMMARY: oggparsevorbis.c in FFmpeg 0.5 does not properly perform certain pointer arithmetic, which might allow remote attackers to obtain sensitive memory contents and cause a denial of service via a crafted file that triggers an out-of-bounds read. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4632 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2009-4633 CVE STATUS: Patched CVE SUMMARY: vorbis_dec.c in FFmpeg 0.5 uses an assignment operator when a comparison operator was intended, which might allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted file that modifies a loop counter and triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4633 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2009-4634 CVE STATUS: Patched CVE SUMMARY: Multiple integer underflows in FFmpeg 0.5 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted file that (1) bypasses a validation check in vorbis_dec.c and triggers a wraparound of the stack pointer, or (2) access a pointer from out-of-bounds memory in mov.c, related to an elst tag that appears before a tag that creates a stream. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4634 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2009-4635 CVE STATUS: Patched CVE SUMMARY: FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted MOV container with improperly ordered tags that cause (1) mov.c and (2) utils.c to use inconsistent codec types and identifiers, leading to processing of a video-structure pointer by the mp3 decoder, and a stack-based buffer overflow. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4635 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2009-4636 CVE STATUS: Patched CVE SUMMARY: FFmpeg 0.5 allows remote attackers to cause a denial of service (hang) via a crafted file that triggers an infinite loop. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4636 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2009-4637 CVE STATUS: Patched CVE SUMMARY: FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a stack-based buffer overflow. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4637 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2009-4638 CVE STATUS: Patched CVE SUMMARY: Integer overflow in FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4638 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2009-4639 CVE STATUS: Patched CVE SUMMARY: The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) via a crafted AVI file that triggers a divide-by-zero error. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4639 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2009-4640 CVE STATUS: Patched CVE SUMMARY: Array index error in vorbis_dec.c in FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Vorbis file that triggers an out-of-bounds read. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-4640 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2010-3429 CVE STATUS: Patched CVE SUMMARY: flicvideo.c in libavcodec 0.6 and earlier in FFmpeg, as used in MPlayer and other products, allows remote attackers to execute arbitrary code via a crafted flic file, related to an "arbitrary offset dereference vulnerability." CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3429 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2010-3908 CVE STATUS: Patched CVE SUMMARY: FFmpeg before 0.5.4, as used in MPlayer and other products, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a malformed WMV file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3908 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2010-4704 CVE STATUS: Patched CVE SUMMARY: libavcodec/vorbis_dec.c in the Vorbis decoder in FFmpeg 0.6.1 and earlier allows remote attackers to cause a denial of service (application crash) via a crafted .ogg file, related to the vorbis_floor0_decode function. NOTE: this might overlap CVE-2011-0480. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4704 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2010-4705 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the vorbis_residue_decode_internal function in libavcodec/vorbis_dec.c in the Vorbis decoder in FFmpeg, possibly 0.6, has unspecified impact and remote attack vectors, related to the sizes of certain integer data types. NOTE: this might overlap CVE-2011-0480. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4705 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-0722 CVE STATUS: Patched CVE SUMMARY: FFmpeg before 0.5.4, as used in MPlayer and other products, allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a malformed RealMedia file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0722 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-0723 CVE STATUS: Patched CVE SUMMARY: FFmpeg 0.5.x, as used in MPlayer and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed VC-1 file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0723 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-1931 CVE STATUS: Patched CVE SUMMARY: sp5xdec.c in the Sunplus SP5X JPEG decoder in libavcodec in FFmpeg before 0.6.3 and libav through 0.6.2, as used in VideoLAN VLC media player 1.1.9 and earlier and other products, performs a write operation outside the bounds of an unspecified array, which allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a malformed AMV file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1931 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-2160 CVE STATUS: Patched CVE SUMMARY: The VC-1 decoding functionality in FFmpeg before 0.5.4, as used in MPlayer and other products, does not properly restrict read operations, which allows remote attackers to have an unspecified impact via a crafted VC-1 file, a related issue to CVE-2011-0723. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2160 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-2161 CVE STATUS: Patched CVE SUMMARY: The ape_read_header function in ape.c in libavformat in FFmpeg before 0.5.4, as used in MPlayer, VideoLAN VLC media player, and other products, allows remote attackers to cause a denial of service (application crash) via an APE (aka Monkey's Audio) file that contains a header but no frames. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2161 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-2162 CVE STATUS: Patched CVE SUMMARY: Multiple unspecified vulnerabilities in FFmpeg 0.4.x through 0.6.x, as used in MPlayer 1.0 and other products, in Mandriva Linux 2009.0, 2010.0, and 2010.1; Corporate Server 4.0 (aka CS4.0); and Mandriva Enterprise Server 5 (aka MES5) have unknown impact and attack vectors, related to issues "originally discovered by Google Chrome developers." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2162 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-3362 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in the decode_residual_block function in cavsdec.c in libavcodec in FFmpeg before 0.7.3 and 0.8.x before 0.8.2, and libav through 0.7.1, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Chinese AVS video (aka CAVS) file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3362 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-3504 CVE STATUS: Patched CVE SUMMARY: The Matroska format decoder in FFmpeg before 0.8.3 does not properly allocate memory, which allows remote attackers to execute arbitrary code via a crafted file. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3504 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-3929 CVE STATUS: Patched CVE SUMMARY: The avpriv_dv_produce_packet function in libavcodec in FFmpeg 0.7.x before 0.7.12 and 0.8.x before 0.8.11 and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.5, and 0.8.x before 0.8.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) and possibly execute arbitrary code via a crafted DV file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3929 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-3934 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in the vp3_update_thread_context function in libavcodec/vp3.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via crafted vp3 data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3934 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-3935 CVE STATUS: Patched CVE SUMMARY: The codec_get_buffer function in ffmpeg.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via vectors related to a crafted image size. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3935 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-3936 CVE STATUS: Patched CVE SUMMARY: The dv_extract_audio function in libavcodec in FFmpeg 0.7.x before 0.7.12 and 0.8.x before 0.8.11 and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.5, and 0.8.x before 0.8.1 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted DV file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3936 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-3937 CVE STATUS: Patched CVE SUMMARY: The H.263 codec (libavcodec/h263dec.c) in FFmpeg 0.7.x before 0.7.12, 0.8.x before 0.8.11, and unspecified versions before 0.10, and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.5, and 0.8.x before 0.8.1 has unspecified impact and attack vectors related to "width/height changing with frame threads." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3937 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-3940 CVE STATUS: Patched CVE SUMMARY: nsvdec.c in libavcodec in FFmpeg 0.7.x before 0.7.12 and 0.8.x before 0.8.11, and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.5, and 0.8.x before 0.8.1, allows remote attackers to cause a denial of service (out-of-bounds read and write) via a crafted NSV file that triggers "use of uninitialized streams." CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3940 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-3941 CVE STATUS: Patched CVE SUMMARY: The decode_mb function in libavcodec/error_resilience.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via vectors related to an uninitialized block index, which triggers an out-of-bounds write. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3941 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-3944 CVE STATUS: Patched CVE SUMMARY: The smacker_decode_header_tree function in libavcodec/smacker.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via crafted Smacker data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3944 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-3945 CVE STATUS: Patched CVE SUMMARY: The decode_frame function in the KVG1 decoder (kgv1dec.c) in libavcodec in FFmpeg 0.7.x before 0.7.12 and 0.8.x before 0.8.11, and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.5, and 0.8.x before 0.8.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted media file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3945 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-3946 CVE STATUS: Patched CVE SUMMARY: The ff_h264_decode_sei function in libavcodec/h264_sei.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via crafted Supplemental enhancement information (SEI) data, which triggers an infinite loop. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3946 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-3947 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in mjpegbdec.c in libavcodec in FFmpeg 0.7.x before 0.7.12 and 0.8.x before 0.8.11, and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.5, and 0.8.x before 0.8.1, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MJPEG-B file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3947 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-3949 CVE STATUS: Patched CVE SUMMARY: The dirac_unpack_idwt_params function in libavcodec/diracdec.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via crafted Dirac data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3949 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-3950 CVE STATUS: Patched CVE SUMMARY: The dirac_decode_data_unit function in libavcodec/diracdec.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via a crafted value in the reference pictures number. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3950 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-3951 CVE STATUS: Patched CVE SUMMARY: The dpcm_decode_frame function in dpcm.c in libavcodec in FFmpeg before 0.10 and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.6, and 0.8.x before 0.8.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted stereo stream in a media file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3951 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-3952 CVE STATUS: Patched CVE SUMMARY: The decode_init function in kmvc.c in libavcodec in FFmpeg before 0.10 and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.6, and 0.8.x before 0.8.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large palette size in a KMVC encoded file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3952 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-3973 CVE STATUS: Patched CVE SUMMARY: cavsdec.c in libavcodec in FFmpeg before 0.7.4 and 0.8.x before 0.8.3 allows remote attackers to cause a denial of service (incorrect write operation and application crash) via an invalid bitstream in a Chinese AVS video (aka CAVS) file, related to the decode_residual_block, check_for_slice, and cavs_decode_frame functions, a different vulnerability than CVE-2011-3362. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3973 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-3974 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in the decode_residual_inter function in cavsdec.c in libavcodec in FFmpeg before 0.7.4 and 0.8.x before 0.8.3 allows remote attackers to cause a denial of service (incorrect write operation and application crash) via an invalid bitstream in a Chinese AVS video (aka CAVS) file, a different vulnerability than CVE-2011-3362. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3974 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-4031 CVE STATUS: Patched CVE SUMMARY: Integer underflow in the asfrtp_parse_packet function in libavformat/rtpdec_asf.c in FFmpeg before 0.8.3 allows remote attackers to execute arbitrary code via a crafted ASF packet. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4031 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-4351 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in FFmpeg before 0.5.6, 0.6.x before 0.6.4, 0.7.x before 0.7.8, and 0.8.x before 0.8.8 allows remote attackers to execute arbitrary code via unspecified vectors. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4351 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-4352 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the vp3_dequant function in the VP3 decoder (vp3.c) in libavcodec in FFmpeg 0.5.x before 0.5.7, 0.6.x before 0.6.4, 0.7.x before 0.7.9, and 0.8.x before 0.8.8; and in Libav 0.5.x before 0.5.6, 0.6.x before 0.6.4, and 0.7.x before 0.7.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted VP3 stream, which triggers a buffer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4352 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-4353 CVE STATUS: Patched CVE SUMMARY: The (1) av_image_fill_pointers, (2) vp5_parse_coeff, and (3) vp6_parse_coeff functions in FFmpeg 0.5.x before 0.5.7, 0.6.x before 0.6.4, 0.7.x before 0.7.9, and 0.8.x before 0.8.8; and in Libav 0.5.x before 0.5.6, 0.6.x before 0.6.4, and 0.7.x before 0.7.3 allow remote attackers to cause a denial of service (out-of-bounds read) via a crafted VP5 or VP6 stream. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4353 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-4364 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the Sierra VMD decoder in libavcodec in FFmpeg 0.5.x before 0.5.7, 0.6.x before 0.6.4, 0.7.x before 0.7.9 and 0.8.x before 0.8.8; and in Libav 0.5.x before 0.5.6, 0.6.x before 0.6.4, and 0.7.x before 0.7.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted VMD file, related to corrupted streams. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4364 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2011-4579 CVE STATUS: Patched CVE SUMMARY: The svq1_decode_frame function in the SVQ1 decoder (svq1dec.c) in libavcodec in FFmpeg 0.5.x before 0.5.7, 0.6.x before 0.6.4, 0.7.x before 0.7.9, and 0.8.x before 0.8.8; and in Libav 0.5.x before 0.5.6, 0.6.x before 0.6.4, and 0.7.x before 0.7.3 allows remote attackers to cause a denial of service (memory corruption) via a crafted SVQ1 stream, related to "dimensions changed." CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4579 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-0847 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the avfilter_filter_samples function in libavfilter/avfilter.c in FFmpeg before 0.9.1 allows remote attackers to cause a denial of service (application crash) via a crafted media file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0847 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-0848 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the ws_snd_decode_frame function in libavcodec/ws-snd1.c in FFmpeg 0.9.1 allows remote attackers to cause a denial of service (application crash) via a crafted media file, related to an incorrect calculation, aka "wrong samples count." CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0848 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-0849 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the ff_j2k_dwt_init function in libavcodec/j2k_dwt.c in FFmpeg before 0.9.1 allows remote attackers to cause a denial of service (segmentation fault and application crash) via a crafted JPEG2000 image that triggers an incorrect check for a negative value. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0849 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-0850 CVE STATUS: Patched CVE SUMMARY: The sbr_qmf_synthesis function in libavcodec/aacsbr.c in FFmpeg before 0.9.1 allows remote attackers to cause a denial of service (application crash) via a crafted mpg file that triggers memory corruption involving the v_off variable, probably a buffer underflow. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0850 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-0851 CVE STATUS: Patched CVE SUMMARY: The ff_h264_decode_seq_parameter_set function in h264_ps.c in libavcodec in FFmpeg before 0.9.1 and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.6, and 0.8.x before 0.8.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted H.264 file, related to the chroma_format_idc value. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0851 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-0852 CVE STATUS: Patched CVE SUMMARY: The adpcm_decode_frame function in adpcm.c in libavcodec in FFmpeg before 0.9.1 and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.6, and 0.8.x before 0.8.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an ADPCM file with the number of channels not equal to two. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0852 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-0853 CVE STATUS: Patched CVE SUMMARY: The decodeTonalComponents function in the Actrac3 codec (atrac3.c) in libavcodec in FFmpeg 0.7.x before 0.7.12, and 0.8.x before 0.8.11; and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.5, and 0.8.x before 0.8.1 allows remote attackers to cause a denial of service (infinite loop and crash) and possibly execute arbitrary code via a large component count in an Atrac 3 file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0853 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-0854 CVE STATUS: Patched CVE SUMMARY: The dpcm_decode_frame function in libavcodec/dpcm.c in FFmpeg before 0.9.1 does not use the proper pointer after an audio API change, which allows remote attackers to cause a denial of service (application crash) via unspecified vectors, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0854 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-0855 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the get_sot function in the J2K decoder (j2k.c) in libavcodec in FFmpeg before 0.9.1 allows remote attackers to cause a denial of service (application crash) via unspecified vectors related to the curtileno variable. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0855 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-0856 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the MPV_frame_start function in libavcodec/mpegvideo.c in FFmpeg before 0.9.1, when the lowres option is enabled, allows remote attackers to cause a denial of service (application crash) via a crafted H263 media file. NOTE: this vulnerability exists because of a regression error. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0856 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-0857 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in the get_qcx function in the J2K decoder (j2kdec.c) in libavcode in FFmpeg before 0.9.1 allow remote attackers to cause a denial of service (application crash) via unspecified vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0857 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-0858 CVE STATUS: Patched CVE SUMMARY: The Shorten codec (shorten.c) in libavcodec in FFmpeg 0.7.x before 0.7.12 and 0.8.x before 0.8.11, and in Libav 0.5.x before 0.5.9, 0.6.x before 0.6.6, 0.7.x before 0.7.5, and 0.8.x before 0.8.1, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted Shorten file, related to an "invalid free". CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0858 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-0859 CVE STATUS: Patched CVE SUMMARY: The render_line function in the vorbis codec (vorbis.c) in libavcodec in FFmpeg before 0.9.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted Vorbis file, related to a large multiplier. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3893. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0859 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2771 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact and attack vectors, a different vulnerability than CVE-2012-2773, CVE-2012-2778, CVE-2012-2780, and CVE-2012-2781. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2771 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2772 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the ff_rv34_decode_frame function in libavcodec/rv34.c in FFmpeg before 0.11, and Libav 0.7.x before 0.7.7 and 0.8.x before 0.8.4, has unknown impact and attack vectors, related to "width/height changing with frame threading." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2772 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2773 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact and attack vectors, a different vulnerability than CVE-2012-2771, CVE-2012-2778, CVE-2012-2780, and CVE-2012-2781. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2773 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2774 CVE STATUS: Patched CVE SUMMARY: The ff_MPV_frame_start function in libavcodec/mpegvideo.c in FFmpeg before 0.11 allows remote attackers to cause a denial of service (memory corruption) via unspecified vectors, related to starting "a frame outside SETUP state." CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2774 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2775 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the read_var_block_data function in libavcodec/alsdec.c in FFmpeg before 0.11, and Libav 0.7.x before 0.7.7 and 0.8.x before 0.8.4, has unknown impact and attack vectors, related to a large order and an "out of array write in quant_cof." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2775 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2776 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the decode_cell_data function in libavcodec/indeo3.c in FFmpeg before 0.11 and Libav 0.8.x before 0.8.4 has unknown impact and attack vectors, related to an "out of picture write." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2776 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2777 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the decode_pic function in libavcodec/cavsdec.c in FFmpeg before 0.11, and Libav 0.7.x before 0.7.7 and 0.8.x before 0.8.4, has unknown impact and attack vectors, related to "width/height changing in CAVS," a different vulnerability than CVE-2012-2784. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2777 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2778 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact and attack vectors, a different vulnerability than CVE-2012-2771, CVE-2012-2773, CVE-2012-2780, and CVE-2012-2781. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2778 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2779 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the decode_frame function in libavcodec/indeo5.c in FFmpeg before 0.11, and Libav 0.7.x before 0.7.7 and 0.8.x before 0.8.4, has unknown impact and attack vectors, related to an invalid "gop header" and decoding in a "half initialized context." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2779 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2780 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact and attack vectors, a different vulnerability than CVE-2012-2771, CVE-2012-2773, CVE-2012-2778, and CVE-2012-2781. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2780 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2781 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in FFmpeg before 0.10.3 has unknown impact and attack vectors, a different vulnerability than CVE-2012-2771, CVE-2012-2773, CVE-2012-2778, and CVE-2012-2780. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2781 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2782 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the decode_slice_header function in libavcodec/h264.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to a "rejected resolution change." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2782 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2783 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in libavcodec/vp56.c in FFmpeg before 0.11, and Libav 0.7.x before 0.7.7 and 0.8.x before 0.8.5, has unknown impact and attack vectors, related to "freeing the returned frame." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2783 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2784 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the decode_pic function in libavcodec/cavsdec.c in FFmpeg before 0.11, and Libav 0.7.x before 0.7.7 and 0.8.x before 0.8.4, has unknown impact and attack vectors, related to "width/height changing in CAVS," a different vulnerability than CVE-2012-2777. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2784 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2785 CVE STATUS: Patched CVE SUMMARY: Multiple unspecified vulnerabilities in libavcodec/wmalosslessdec.c in FFmpeg before 0.11 have unknown impact and attack vectors, related to (1) "some subframes only encode some channels" or (2) a large order value. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2785 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2786 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the decode_wdlt function in libavcodec/dfa.c in FFmpeg before 0.11, and Libav 0.7.x before 0.7.7 and 0.8.x before 0.8.4, has unknown impact and attack vectors, related to an "out of array write." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2786 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2787 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the decode_frame function in libavcodec/indeo4.c in FFmpeg before 0.11 and Libav 0.8.x before 0.8.4 has unknown impact and attack vectors, related to the "setup width/height." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2787 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2788 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the avi_read_packet function in libavformat/avidec.c in FFmpeg before 0.11, and Libav 0.7.x before 0.7.7 and 0.8.x before 0.8.4, has unknown impact and attack vectors, related to an "out of array read" when a "packet is shrunk." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2788 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2789 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the avi_read_packet function in libavformat/avidec.c in FFmpeg before 0.11, and Libav 0.7.x before 0.7.7 and 0.8.x before 0.8.4, has unknown impact and attack vectors, related to a large number of vector coded coefficients (num_vec_coeffs). CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2789 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2790 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the read_var_block_data function in libavcodec/alsdec.c in FFmpeg before 0.11, and Libav 0.7.x before 0.7.7 and 0.8.x before 0.8.4, has unknown impact and attack vectors, related to the "number of decoded samples in first sub-block in BGMC mode." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2790 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2791 CVE STATUS: Patched CVE SUMMARY: Multiple unspecified vulnerabilities in the (1) decode_band_hdr function in indeo4.c and (2) ff_ivi_decode_blocks function in ivi_common.c in libavcodec/ in FFmpeg before 0.11, and Libav 0.7.x before 0.7.7 and 0.8.x before 0.8.5, have unknown impact and attack vectors, related to the "transform size." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2791 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2792 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the decode_init function in libavcodec/wmalosslessdec.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to the samples per frame. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2792 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2793 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the lag_decode_zero_run_line function in libavcodec/lagarith.c in FFmpeg before 0.11, and Libav 0.7.x before 0.7.7 and 0.8.x before 0.8.4, has unknown impact and attack vectors related to "too many zeros." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2793 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2794 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the decode_mb_info function in libavcodec/indeo5.c in FFmpeg before 0.11, and Libav 0.7.x before 0.7.7 and 0.8.x before 0.8.4, has unknown impact and attack vectors in which the "allocated tile size ... mismatches parameters." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2794 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2795 CVE STATUS: Patched CVE SUMMARY: Multiple unspecified vulnerabilities in libavcodec/wmalosslessdec.c in FFmpeg before 0.11 have unknown impact and attack vectors related to (1) size of "mclms arrays," (2) "a get_bits(0) in decode_ac_filter," and (3) "too many bits in decode_channel_residues()." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2795 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2796 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the vc1_decode_frame function in libavcodec/vc1dec.c in FFmpeg before 0.11 and Libav 0.8.x before 0.8.4 has unknown impact and attack vectors, related to inconsistencies in "coded slice positions and interlacing" that trigger "out of array writes." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2796 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2797 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the decode_frame_mp3on4 function in libavcodec/mpegaudiodec.c in FFmpeg before 0.11 and Libav 0.8.x before 0.8.5 has unknown impact and attack vectors related to a calculation that prevents a frame from being "large enough." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2797 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2798 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the decode_dds1 function in libavcodec/dfa.c in FFmpeg before 0.11, and Libav 0.7.x before 0.7.7 and 0.8.x before 0.8.4, has unknown impact and attack vectors, related to an "out of array write." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2798 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2799 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in libavcodec/wmalosslessdec.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to the "put bit buffer when num_saved_bits is reset." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2799 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2800 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the ff_ivi_process_empty_tile function in libavcodec/ivi_common.c in FFmpeg before 0.11, and Libav 0.7.x before 0.7.7 and 0.8.x before 0.8.4, has unknown impact and attack vectors in which the "tile size ... mismatches parameters" and triggers "writing into a too small array." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2800 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2801 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in libavcodec/avs.c in FFmpeg before 0.11, and Libav 0.7.x before 0.7.7 and 0.8.x before 0.8.4, has unknown impact and attack vectors, related to dimensions and "out of array writes." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2801 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2802 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the ac3_decode_frame function in libavcodec/ac3dec.c in FFmpeg before 0.11 and Libav 0.8.x before 0.8.4 has unknown impact and attack vectors, related to the "number of output channels" and "out of array writes." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2802 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2803 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in the mpeg_decode_frame function in libavcodec/mpeg12.c in FFmpeg before 0.11, and Libav 0.7.x before 0.7.7 and 0.8.x before 0.8.5, has unknown impact and attack vectors, related to resetting the data size value. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2803 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2804 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in libavcodec/indeo3.c in FFmpeg before 0.11 and Libav 0.8.x before 0.8.5 has unknown impact and attack vectors, related to "reallocation code" and the luma height and width. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2804 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-2805 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in FFMPEG 0.10 allows remote attackers to cause a denial of service. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2805 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-5359 CVE STATUS: Patched CVE SUMMARY: Libavcodec in FFmpeg before 0.11 allows remote attackers to execute arbitrary code via a crafted ASF file. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5359 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-5360 CVE STATUS: Patched CVE SUMMARY: Libavcodec in FFmpeg before 0.11 allows remote attackers to execute arbitrary code via a crafted QT file. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5360 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-5361 CVE STATUS: Patched CVE SUMMARY: Libavcodec in FFmpeg before 0.11 allows remote attackers to execute arbitrary code via a crafted WMV file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5361 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-6615 CVE STATUS: Patched CVE SUMMARY: The ff_ass_split_override_codes function in libavcodec/ass_split.c in FFmpeg before 1.0.2 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a subtitle dialog without text. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6615 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-6616 CVE STATUS: Patched CVE SUMMARY: The mov_text_decode_frame function in libavcodec/movtextdec.c in FFmpeg before 1.0.2 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via crafted 3GPP TS 26.245 data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6616 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-6617 CVE STATUS: Patched CVE SUMMARY: The prepare_sdp_description function in ffserver.c in FFmpeg before 1.0.2 allows remote attackers to cause a denial of service (crash) via vectors related to the rtp format. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6617 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2012-6618 CVE STATUS: Patched CVE SUMMARY: The av_probe_input_buffer function in libavformat/utils.c in FFmpeg before 1.0.2, when running with certain -probesize values, allows remote attackers to cause a denial of service (crash) via a crafted MP3 file, possibly related to frame size or lack of sufficient "frames to estimate rate." CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6618 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0844 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the adpcm_decode_frame function in libavcodec/adpcm.c in FFmpeg before 1.0.4 allows remote attackers to have an unspecified impact via crafted DK4 data, which triggers an out-of-bounds array access. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0844 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0845 CVE STATUS: Patched CVE SUMMARY: libavcodec/alsdec.c in FFmpeg before 1.0.4 allows remote attackers to have an unspecified impact via a crafted block length, which triggers an out-of-bounds write. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0845 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0846 CVE STATUS: Patched CVE SUMMARY: Array index error in the qdm2_decode_super_block function in libavcodec/qdm2.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via crafted QDM2 data, which triggers an out-of-bounds array access. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0846 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0847 CVE STATUS: Patched CVE SUMMARY: The ff_id3v2_parse function in libavformat/id3v2.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via ID3v2 header data, which triggers an out-of-bounds array access. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0847 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0848 CVE STATUS: Patched CVE SUMMARY: The decode_init function in libavcodec/huffyuv.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via a crafted width in huffyuv data with the predictor set to median and the colorspace set to YUV422P, which triggers an out-of-bounds array access. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0848 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0849 CVE STATUS: Patched CVE SUMMARY: The roq_decode_init function in libavcodec/roqvideodec.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via a crafted (1) width or (2) height dimension that is not a multiple of sixteen in id RoQ video data. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0849 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0850 CVE STATUS: Patched CVE SUMMARY: The decode_slice_header function in libavcodec/h264.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via crafted H.264 data, which triggers an out-of-bounds array access. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0850 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0851 CVE STATUS: Patched CVE SUMMARY: The decode_frame function in libavcodec/eamad.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via crafted Electronic Arts Madcow video data, which triggers an out-of-bounds array access. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0851 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0852 CVE STATUS: Patched CVE SUMMARY: The parse_picture_segment function in libavcodec/pgssubdec.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via crafted RLE data, which triggers an out-of-bounds array access. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0852 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0853 CVE STATUS: Patched CVE SUMMARY: The wavpack_decode_frame function in libavcodec/wavpack.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via crafted WavPack data, which triggers an out-of-bounds array access, possibly due to an off-by-one error. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0853 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0854 CVE STATUS: Patched CVE SUMMARY: The mjpeg_decode_scan_progressive_ac function in libavcodec/mjpegdec.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via crafted MJPEG data. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0854 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0855 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the alac_decode_close function in libavcodec/alac.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via a large number of samples per frame in Apple Lossless Audio Codec (ALAC) data, which triggers an out-of-bounds array access. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0855 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0856 CVE STATUS: Patched CVE SUMMARY: The lpc_prediction function in libavcodec/alac.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via crafted Apple Lossless Audio Codec (ALAC) data, related to a large nb_samples value. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0856 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0857 CVE STATUS: Patched CVE SUMMARY: The decode_frame_ilbm function in libavcodec/iff.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via a crafted height value in IFF PBM/ILBM bitmap data. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0857 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0858 CVE STATUS: Patched CVE SUMMARY: The atrac3_decode_init function in libavcodec/atrac3.c in FFmpeg before 1.0.4 allows remote attackers to have an unspecified impact via ATRAC3 data with the joint stereo coding mode set and fewer than two channels. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0858 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0859 CVE STATUS: Patched CVE SUMMARY: The add_doubles_metadata function in libavcodec/tiff.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via a negative or zero count value in a TIFF image, which triggers an out-of-bounds array access. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0859 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0860 CVE STATUS: Patched CVE SUMMARY: The ff_er_frame_end function in libavcodec/error_resilience.c in FFmpeg before 1.0.4 and 1.1.x before 1.1.1 does not properly verify that a frame is fully initialized, which allows remote attackers to trigger a NULL pointer dereference via crafted picture data. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0860 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0861 CVE STATUS: Patched CVE SUMMARY: The avcodec_decode_audio4 function in libavcodec/utils.c in FFmpeg before 1.0.4 and 1.1.x before 1.1.1 allows remote attackers to trigger memory corruption via vectors related to the channel layout. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0861 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0862 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the process_frame_obj function in libavcodec/sanm.c in FFmpeg before 1.1.2 allow remote attackers to have an unspecified impact via crafted image dimensions in LucasArts Smush video data, which triggers an out-of-bounds array access. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0862 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0863 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the rle_decode function in libavcodec/sanm.c in FFmpeg before 1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an unspecified impact via crafted LucasArts Smush video data. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0863 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0864 CVE STATUS: Patched CVE SUMMARY: The gif_copy_img_rect function in libavcodec/gifdec.c in FFmpeg before 1.1.2 performs an incorrect calculation for an "end pointer," which allows remote attackers to have an unspecified impact via crafted GIF data that triggers an out-of-bounds array access. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0864 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0865 CVE STATUS: Patched CVE SUMMARY: The vqa_decode_chunk function in libavcodec/vqavideo.c in FFmpeg before 1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an unspecified impact via a large (1) cbp0 or (2) cbpz chunk in Westwood Studios VQA Video file, which triggers an out-of-bounds write. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0865 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0866 CVE STATUS: Patched CVE SUMMARY: The aac_decode_init function in libavcodec/aacdec.c in FFmpeg before 1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an unspecified impact via a large number of channels in an AAC file, which triggers an out-of-bounds array access. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0866 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0867 CVE STATUS: Patched CVE SUMMARY: The decode_slice_header function in libavcodec/h264.c in FFmpeg before 1.1.2 does not properly check when the pixel format changes, which allows remote attackers to have unspecified impact via crafted H.264 video data, related to an out-of-bounds array access. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0867 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0868 CVE STATUS: Patched CVE SUMMARY: libavcodec/huffyuvdec.c in FFmpeg before 1.1.2 allows remote attackers to have an unspecified impact via crafted Huffyuv data, related to an out-of-bounds write and (1) unchecked return codes from the init_vlc function and (2) "len==0 cases." CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0868 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0869 CVE STATUS: Patched CVE SUMMARY: The field_end function in libavcodec/h264.c in FFmpeg before 1.1.2 allows remote attackers to have an unspecified impact via crafted H.264 data, related to an SPS and slice mismatch and an out-of-bounds array access. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0869 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0870 CVE STATUS: Patched CVE SUMMARY: The 'vp3_decode_frame' function in FFmpeg 1.1.4 moves threads check out of header packet type check. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0870 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0872 CVE STATUS: Patched CVE SUMMARY: The swr_init function in libswresample/swresample.c in FFmpeg before 1.1.3 allows remote attackers to have an unspecified impact via an invalid or unsupported (1) input or (2) output channel layout, related to an out-of-bounds array access. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0872 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0873 CVE STATUS: Patched CVE SUMMARY: The read_header function in libavcodec/shorten.c in FFmpeg before 1.1.3 allows remote attackers to have an unspecified impact via an invalid channel count, related to "freeing invalid addresses." CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0873 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0874 CVE STATUS: Patched CVE SUMMARY: The (1) doubles2str and (2) shorts2str functions in libavcodec/tiff.c in FFmpeg before 1.1.3 allow remote attackers to have an unspecified impact via a crafted TIFF image, related to an out-of-bounds array access. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0874 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0875 CVE STATUS: Patched CVE SUMMARY: The ff_add_png_paeth_prediction function in libavcodec/pngdec.c in FFmpeg before 1.1.3 allows remote attackers to have an unspecified impact via a crafted PNG image, related to an out-of-bounds array access. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0875 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0876 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the (1) old_codec37 and (2) old_codec47 functions in libavcodec/sanm.c in FFmpeg before 1.1.3 allow remote attackers to have an unspecified impact via crafted LucasArts Smush data, which triggers an out-of-bounds array access. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0876 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0877 CVE STATUS: Patched CVE SUMMARY: The old_codec37 function in libavcodec/sanm.c in FFmpeg before 1.1.3 allows remote attackers to have an unspecified impact via crafted LucasArts Smush data that has a large size when decoded, related to an out-of-bounds array access. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0877 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0878 CVE STATUS: Patched CVE SUMMARY: The advance_line function in libavcodec/targa.c in FFmpeg before 1.1.3 allows remote attackers to have an unspecified impact via crafted Targa image data, related to an out-of-bounds array access. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0878 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-0894 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the vorbis_parse_setup_hdr_floors function in the Vorbis decoder in vorbisdec.c in libavcodec in FFmpeg through 1.1.3, as used in Google Chrome before 25.0.1364.97 on Windows and Linux and before 25.0.1364.99 on Mac OS X and other products, allows remote attackers to cause a denial of service (divide-by-zero error or out-of-bounds array access) or possibly have unspecified other impact via vectors involving a zero value for a bark map size. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0894 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-2276 CVE STATUS: Patched CVE SUMMARY: The avcodec_decode_audio4 function in utils.c in libavcodec in FFmpeg before 1.1.3 does not verify the decoding state before proceeding with certain skip operations, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted audio data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2276 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-2277 CVE STATUS: Patched CVE SUMMARY: The ff_h264_decode_seq_parameter_set function in h264_ps.c in libavcodec in FFmpeg before 1.1.3 does not validate the relationship between luma depth and chroma depth, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted H.264 data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2277 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-2495 CVE STATUS: Patched CVE SUMMARY: The iff_read_header function in iff.c in libavformat in FFmpeg through 1.1.3 does not properly handle data sizes for Interchange File Format (IFF) data during operations involving a CMAP chunk or a video codec, which allows remote attackers to cause a denial of service (integer overflow, out-of-bounds array access, and application crash) or possibly have unspecified other impact via a crafted header. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2495 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-2496 CVE STATUS: Patched CVE SUMMARY: The msrle_decode_8_16_24_32 function in msrledec.c in libavcodec in FFmpeg through 1.1.3 does not properly determine certain end pointers, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted Microsoft RLE data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2496 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-3670 CVE STATUS: Patched CVE SUMMARY: The rle_unpack function in vmdav.c in libavcodec in FFmpeg git 20130328 through 20130501 does not properly use the bytestream2 API, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) via crafted RLE data. NOTE: the vendor has listed this as an issue fixed in 1.2.1, but the issue is actually in new code that was not shipped with the 1.2.1 release or any earlier release. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3670 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-3671 CVE STATUS: Patched CVE SUMMARY: The format_line function in log.c in libavutil in FFmpeg before 1.2.1 uses inapplicable offset data during a certain category calculation, which allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via crafted data that triggers a log message. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3671 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-3672 CVE STATUS: Patched CVE SUMMARY: The mm_decode_inter function in mmvideo.c in libavcodec in FFmpeg before 1.2.1 does not validate the relationship between a horizontal coordinate and a width value, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) via crafted American Laser Games (ALG) MM Video data. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3672 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-3673 CVE STATUS: Patched CVE SUMMARY: The gif_decode_frame function in gifdec.c in libavcodec in FFmpeg before 1.2.1 does not properly manage the disposal methods of frames, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) via crafted GIF data. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3673 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-3674 CVE STATUS: Patched CVE SUMMARY: The cdg_decode_frame function in cdgraphics.c in libavcodec in FFmpeg before 1.2.1 does not validate the presence of non-header data in a buffer, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) via crafted CD Graphics Video data. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3674 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-3675 CVE STATUS: Patched CVE SUMMARY: The process_frame_obj function in sanm.c in libavcodec in FFmpeg before 1.2.1 does not validate width and height values, which allows remote attackers to cause a denial of service (integer overflow, out-of-bounds array access, and application crash) via crafted LucasArts Smush video data. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-3675 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-4263 CVE STATUS: Patched CVE SUMMARY: libavfilter in FFmpeg before 2.0.1 has unspecified impact and remote vectors related to a crafted "plane," which triggers an out-of-bounds heap write. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4263 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-4264 CVE STATUS: Patched CVE SUMMARY: The kempf_decode_tile function in libavcodec/g2meet.c in FFmpeg before 2.0.1 allows remote attackers to cause a denial of service (out-of-bounds heap write) via a G2M4 encoded file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4264 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-4265 CVE STATUS: Patched CVE SUMMARY: The av_reallocp_array function in libavutil/mem.c in FFmpeg before 2.0.1 has an unspecified impact and remote vectors related to a "wrong return code" and a resultant NULL pointer dereference. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4265 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-4358 CVE STATUS: Patched CVE SUMMARY: libavcodec/h264.c in FFmpeg before 0.11.4 allows remote attackers to cause a denial of service (crash) via vectors related to alternating bit depths in H.264 data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4358 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-7008 CVE STATUS: Patched CVE SUMMARY: The decode_slice_header function in libavcodec/h264.c in FFmpeg before 2.1 incorrectly relies on a certain droppable field, which allows remote attackers to cause a denial of service (deadlock) or possibly have unspecified other impact via crafted H.264 data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7008 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-7009 CVE STATUS: Patched CVE SUMMARY: The rpza_decode_stream function in libavcodec/rpza.c in FFmpeg before 2.1 does not properly maintain a pointer to pixel data, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Apple RPZA data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7009 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-7010 CVE STATUS: Patched CVE SUMMARY: Multiple integer signedness errors in libavcodec/dsputil.c in FFmpeg before 2.1 allow remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7010 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-7011 CVE STATUS: Patched CVE SUMMARY: The read_header function in libavcodec/ffv1dec.c in FFmpeg before 2.1 does not prevent changes to global parameters, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted FFV1 data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7011 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-7012 CVE STATUS: Patched CVE SUMMARY: The get_siz function in libavcodec/jpeg2000dec.c in FFmpeg before 2.1 does not prevent attempts to use non-zero image offsets, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG2000 data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7012 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-7013 CVE STATUS: Patched CVE SUMMARY: The g2m_init_buffers function in libavcodec/g2meet.c in FFmpeg before 2.1 uses an incorrect ordering of arithmetic operations, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Go2Webinar data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7013 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-7014 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in the add_bytes_l2_c function in libavcodec/pngdsp.c in FFmpeg before 2.1 allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted PNG data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7014 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-7015 CVE STATUS: Patched CVE SUMMARY: The flashsv_decode_frame function in libavcodec/flashsv.c in FFmpeg before 2.1 does not properly validate a certain height value, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Flash Screen Video data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7015 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-7016 CVE STATUS: Patched CVE SUMMARY: The get_siz function in libavcodec/jpeg2000dec.c in FFmpeg before 2.1 does not ensure the expected sample separation, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG2000 data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7016 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-7017 CVE STATUS: Patched CVE SUMMARY: libavcodec/jpeg2000.c in FFmpeg before 2.1 allows remote attackers to cause a denial of service (invalid pointer dereference) or possibly have unspecified other impact via crafted JPEG2000 data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7017 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-7018 CVE STATUS: Patched CVE SUMMARY: libavcodec/jpeg2000dec.c in FFmpeg before 2.1 does not ensure the use of valid code-block dimension values, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG2000 data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7018 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-7019 CVE STATUS: Patched CVE SUMMARY: The get_cox function in libavcodec/jpeg2000dec.c in FFmpeg before 2.1 does not properly validate the reduction factor, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG2000 data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7019 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-7020 CVE STATUS: Patched CVE SUMMARY: The read_header function in libavcodec/ffv1dec.c in FFmpeg before 2.1 does not properly enforce certain bit-count and colorspace constraints, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted FFV1 data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7020 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-7021 CVE STATUS: Patched CVE SUMMARY: The filter_frame function in libavfilter/vf_fps.c in FFmpeg before 2.1 does not properly ensure the availability of FIFO content, which allows remote attackers to cause a denial of service (double free) or possibly have unspecified other impact via crafted data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7021 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-7022 CVE STATUS: Patched CVE SUMMARY: The g2m_init_buffers function in libavcodec/g2meet.c in FFmpeg before 2.1 does not properly allocate memory for tiles, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Go2Webinar data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7022 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-7023 CVE STATUS: Patched CVE SUMMARY: The ff_combine_frame function in libavcodec/parser.c in FFmpeg before 2.1 does not properly handle certain memory-allocation errors, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7023 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2013-7024 CVE STATUS: Patched CVE SUMMARY: The jpeg2000_decode_tile function in libavcodec/jpeg2000dec.c in FFmpeg before 2.1 does not consider the component number in certain calculations, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG2000 data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7024 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125002 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in FFmpeg 2.0. It has been classified as problematic. Affected is the function dnxhd_init_rc of the file libavcodec/dnxhdenc.c. The manipulation leads to memory corruption. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125002 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125003 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in FFmpeg 2.0 and classified as problematic. This issue affects the function get_siz of the file libavcodec/jpeg2000dec.c. The manipulation leads to memory corruption. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125003 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125004 CVE STATUS: Patched CVE SUMMARY: A vulnerability has been found in FFmpeg 2.0 and classified as problematic. This vulnerability affects the function decode_hextile of the file libavcodec/vmnc.c. The manipulation leads to memory corruption. The attack can be initiated remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125004 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125005 CVE STATUS: Patched CVE SUMMARY: A vulnerability, which was classified as problematic, was found in FFmpeg 2.0. This affects the function decode_vol_header of the file libavcodec/mpeg4videodec.c. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125005 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125006 CVE STATUS: Patched CVE SUMMARY: A vulnerability, which was classified as problematic, has been found in FFmpeg 2.0. Affected by this issue is the function output_frame of the file libavcodec/h264.c. The manipulation leads to memory corruption. The attack may be launched remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125006 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125007 CVE STATUS: Patched CVE SUMMARY: A vulnerability classified as problematic was found in FFmpeg 2.0. Affected by this vulnerability is the function intra_pred of the file libavcodec/hevcpred_template.c. The manipulation leads to memory corruption. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125007 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125008 CVE STATUS: Patched CVE SUMMARY: A vulnerability classified as problematic has been found in FFmpeg 2.0. Affected is the function vorbis_header of the file libavformat/oggparsevorbis.c. The manipulation leads to memory corruption. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125008 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125009 CVE STATUS: Patched CVE SUMMARY: A vulnerability classified as problematic has been found in FFmpeg 2.0. This affects the function add_yblock of the file libavcodec/snow.h. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125009 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125010 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in FFmpeg 2.0. It has been rated as critical. Affected by this issue is the function decode_slice_header of the file libavcodec/h64.c. The manipulation leads to memory corruption. The attack may be launched remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125010 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125011 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in FFmpeg 2.0. It has been declared as problematic. Affected by this vulnerability is the function decode_frame of the file libavcodec/ansi.c. The manipulation leads to integer coercion error. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125011 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125012 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in FFmpeg 2.0. It has been classified as problematic. Affected is an unknown function of the file libavcodec/dxtroy.c. The manipulation leads to integer coercion error. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125012 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125013 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in FFmpeg 2.0 and classified as problematic. This issue affects the function msrle_decode_frame of the file libavcodec/msrle.c. The manipulation leads to memory corruption. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125013 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125014 CVE STATUS: Patched CVE SUMMARY: A vulnerability classified as problematic was found in FFmpeg 2.0. Affected by this vulnerability is an unknown functionality of the component HEVC Video Decoder. The manipulation leads to memory corruption. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125014 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125015 CVE STATUS: Patched CVE SUMMARY: A vulnerability classified as critical has been found in FFmpeg 2.0. Affected is the function read_var_block_data. The manipulation leads to memory corruption. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125015 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125016 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in FFmpeg 2.0. It has been rated as problematic. This issue affects the function ff_init_buffer_info of the file utils.c. The manipulation leads to memory corruption. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125016 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125017 CVE STATUS: Patched CVE SUMMARY: A vulnerability classified as critical was found in FFmpeg 2.0. This vulnerability affects the function rpza_decode_stream. The manipulation leads to memory corruption. The attack can be initiated remotely. The name of the patch is Fixes Invalid Writes. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125017 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125018 CVE STATUS: Patched CVE SUMMARY: A vulnerability, which was classified as problematic, has been found in FFmpeg 2.0. Affected by this issue is the function decode_slice_header. The manipulation leads to memory corruption. The attack may be launched remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125018 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125019 CVE STATUS: Patched CVE SUMMARY: A vulnerability, which was classified as problematic, was found in FFmpeg 2.0. This affects the function decode_nal_unit of the component Slice Segment Handler. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125019 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125020 CVE STATUS: Patched CVE SUMMARY: A vulnerability has been found in FFmpeg 2.0 and classified as critical. This vulnerability affects the function decode_update_thread_context. The manipulation leads to memory corruption. The attack can be initiated remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125020 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125021 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in FFmpeg 2.0 and classified as problematic. This issue affects the function cmv_process_header. The manipulation leads to memory corruption. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125021 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125022 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in FFmpeg 2.0. It has been classified as problematic. Affected is the function shorten_decode_frame of the component Bitstream Buffer. The manipulation leads to memory corruption. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125022 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125023 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in FFmpeg 2.0. It has been declared as problematic. Affected by this vulnerability is the function truemotion1_decode_header of the component Truemotion1 Handler. The manipulation leads to memory corruption. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125023 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125024 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in FFmpeg 2.0. It has been rated as critical. Affected by this issue is the function lag_decode_frame. The manipulation leads to memory corruption. The attack may be launched remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125024 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-125025 CVE STATUS: Patched CVE SUMMARY: A vulnerability classified as problematic has been found in FFmpeg 2.0. This affects the function decode_pulses. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-125025 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-2097 CVE STATUS: Patched CVE SUMMARY: The tak_decode_frame function in libavcodec/takdec.c in FFmpeg before 2.1.4 does not properly validate a certain bits-per-sample value, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted TAK (aka Tom's lossless Audio Kompressor) data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2097 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-2098 CVE STATUS: Patched CVE SUMMARY: libavcodec/wmalosslessdec.c in FFmpeg before 2.1.4 uses an incorrect data-structure size for certain coefficients, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted WMA data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2098 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-2099 CVE STATUS: Patched CVE SUMMARY: The msrle_decode_frame function in libavcodec/msrle.c in FFmpeg before 2.1.4 does not properly calculate line sizes, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Microsoft RLE video data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2099 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-2263 CVE STATUS: Patched CVE SUMMARY: The mpegts_write_pmt function in the MPEG2 transport stream (aka DVB) muxer (libavformat/mpegtsenc.c) in FFmpeg, possibly 2.1 and earlier, allows remote attackers to have unspecified impact and vectors, which trigger an out-of-bounds write. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2263 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-4610 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the get_len function in libavutil/lzo.c in FFmpeg before 0.10.14, 1.1.x before 1.1.12, 1.2.x before 1.2.7, 2.0.x before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.4 allows remote attackers to execute arbitrary code via a crafted Literal Run. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-4610 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-5271 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the encode_slice function in libavcodec/proresenc_kostya.c in FFMpeg before 1.1.14, 1.2.x before 1.2.8, 2.x before 2.2.7, and 2.3.x before 2.3.3 and Libav before 10.5 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5271 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-5272 CVE STATUS: Patched CVE SUMMARY: libavcodec/iff.c in FFMpeg before 1.1.14, 1.2.x before 1.2.8, 2.2.x before 2.2.7, and 2.3.x before 2.3.2 allows remote attackers to have unspecified impact via a crafted iff image, which triggers an out-of-bounds array access, related to the rgb8 and rgbn formats. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5272 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-7933 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the matroska_read_seek function in libavformat/matroskadec.c in FFmpeg before 2.5.1, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted Matroska file that triggers improper maintenance of tracks data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7933 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-7937 CVE STATUS: Patched CVE SUMMARY: Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Vorbis I data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7937 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-8541 CVE STATUS: Patched CVE SUMMARY: libavcodec/mjpegdec.c in FFmpeg before 2.4.2 considers only dimension differences, and not bits-per-pixel differences, when determining whether an image size has changed, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted MJPEG data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8541 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-8542 CVE STATUS: Patched CVE SUMMARY: libavcodec/utils.c in FFmpeg before 2.4.2 omits a certain codec ID during enforcement of alignment, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted JV data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8542 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-8543 CVE STATUS: Patched CVE SUMMARY: libavcodec/mmvideo.c in FFmpeg before 2.4.2 does not consider all lines of HHV Intra blocks during validation of image height, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted MM video data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8543 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-8544 CVE STATUS: Patched CVE SUMMARY: libavcodec/tiff.c in FFmpeg before 2.4.2 does not properly validate bits-per-pixel fields, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted TIFF data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8544 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-8545 CVE STATUS: Patched CVE SUMMARY: libavcodec/pngdec.c in FFmpeg before 2.4.2 accepts the monochrome-black format without verifying that the bits-per-pixel value is 1, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted PNG data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8545 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-8546 CVE STATUS: Patched CVE SUMMARY: Integer underflow in libavcodec/cinepak.c in FFmpeg before 2.4.2 allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted Cinepak video data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8546 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-8547 CVE STATUS: Patched CVE SUMMARY: libavcodec/gifdec.c in FFmpeg before 2.4.2 does not properly compute image heights, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted GIF data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8547 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-8548 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in libavcodec/smc.c in FFmpeg before 2.4.2 allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted Quicktime Graphics (aka SMC) video data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8548 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-8549 CVE STATUS: Patched CVE SUMMARY: libavcodec/on2avc.c in FFmpeg before 2.4.2 does not constrain the number of channels to at most 2, which allows remote attackers to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via crafted On2 data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8549 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-9316 CVE STATUS: Patched CVE SUMMARY: The mjpeg_decode_app function in libavcodec/mjpegdec.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds heap access) and possibly have other unspecified impact via vectors related to LJIF tags in an MJPEG file. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9316 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-9317 CVE STATUS: Patched CVE SUMMARY: The decode_ihdr_chunk function in libavcodec/pngdec.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds heap access) and possibly have other unspecified impact via an IDAT before an IHDR in a PNG file. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9317 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-9318 CVE STATUS: Patched CVE SUMMARY: The raw_decode function in libavcodec/rawdec.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds heap access) and possibly have other unspecified impact via a crafted .cine file that triggers the avpicture_get_size function to return a negative frame size. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9318 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-9319 CVE STATUS: Patched CVE SUMMARY: The ff_hevc_decode_nal_sps function in libavcodec/hevc_ps.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds access) via a crafted .bit file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9319 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-9602 CVE STATUS: Patched CVE SUMMARY: libavcodec/xface.h in FFmpeg before 2.5.2 establishes certain digits and words array dimensions that do not satisfy a required mathematical relationship, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted X-Face image data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9602 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-9603 CVE STATUS: Patched CVE SUMMARY: The vmd_decode function in libavcodec/vmdvideo.c in FFmpeg before 2.5.2 does not validate the relationship between a certain length value and the frame width, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Sierra VMD video data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9603 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-9604 CVE STATUS: Patched CVE SUMMARY: libavcodec/utvideodec.c in FFmpeg before 2.5.2 does not check for a zero value of a slice height, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Ut Video data, related to the (1) restore_median and (2) restore_median_il functions. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9604 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2014-9676 CVE STATUS: Patched CVE SUMMARY: The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9676 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-1208 CVE STATUS: Patched CVE SUMMARY: Integer underflow in the mov_read_default function in libavformat/mov.c in FFmpeg before 2.4.6 allows remote attackers to obtain sensitive information from heap and/or stack memory via a crafted MP4 file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1208 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-1872 CVE STATUS: Patched CVE SUMMARY: The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmpeg before 2.5.4 does not validate the number of components in a JPEG-LS Start Of Frame segment, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Motion JPEG data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1872 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-3395 CVE STATUS: Patched CVE SUMMARY: The msrle_decode_pal4 function in msrledec.c in Libav before 10.7 and 11.x before 11.4 and FFmpeg before 2.0.7, 2.2.x before 2.2.15, 2.4.x before 2.4.8, 2.5.x before 2.5.6, and 2.6.x before 2.6.2 allows remote attackers to have unspecified impact via a crafted image, related to a pixel pointer, which triggers an out-of-bounds array access. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3395 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-3417 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the ff_h264_free_tables function in libavcodec/h264.c in FFmpeg before 2.3.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted H.264 data in an MP4 file, as demonstrated by an HTML VIDEO element that references H.264 data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3417 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-6761 CVE STATUS: Patched CVE SUMMARY: The update_dimensions function in libavcodec/vp8.c in FFmpeg through 2.8.1, as used in Google Chrome before 46.0.2490.71 and other products, relies on a coefficient-partition count during multi-threaded operation, which allows remote attackers to cause a denial of service (race condition and memory corruption) or possibly have unspecified other impact via a crafted WebM file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6761 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-6818 CVE STATUS: Patched CVE SUMMARY: The decode_ihdr_chunk function in libavcodec/pngdec.c in FFmpeg before 2.7.2 does not enforce uniqueness of the IHDR (aka image header) chunk in a PNG image, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted image with two or more of these chunks. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6818 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-6819 CVE STATUS: Patched CVE SUMMARY: Multiple integer underflows in the ff_mjpeg_decode_frame function in libavcodec/mjpegdec.c in FFmpeg before 2.7.2 allow remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted MJPEG data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6819 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-6820 CVE STATUS: Patched CVE SUMMARY: The ff_sbr_apply function in libavcodec/aacsbr.c in FFmpeg before 2.7.2 does not check for a matching AAC frame syntax element before proceeding with Spectral Band Replication calculations, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted AAC data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6820 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-6821 CVE STATUS: Patched CVE SUMMARY: The ff_mpv_common_init function in libavcodec/mpegvideo.c in FFmpeg before 2.7.2 does not properly maintain the encoding context, which allows remote attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via crafted MPEG data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6821 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-6822 CVE STATUS: Patched CVE SUMMARY: The destroy_buffers function in libavcodec/sanm.c in FFmpeg before 2.7.2 does not properly maintain height and width values in the video context, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via crafted LucasArts Smush video data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6822 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-6823 CVE STATUS: Patched CVE SUMMARY: The allocate_buffers function in libavcodec/alac.c in FFmpeg before 2.7.2 does not initialize certain context data, which allows remote attackers to cause a denial of service (segmentation violation) or possibly have unspecified other impact via crafted Apple Lossless Audio Codec (ALAC) data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6823 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-6824 CVE STATUS: Patched CVE SUMMARY: The sws_init_context function in libswscale/utils.c in FFmpeg before 2.7.2 does not initialize certain pixbuf data structures, which allows remote attackers to cause a denial of service (segmentation violation) or possibly have unspecified other impact via crafted video data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6824 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-6825 CVE STATUS: Patched CVE SUMMARY: The ff_frame_thread_init function in libavcodec/pthread_frame.c in FFmpeg before 2.7.2 mishandles certain memory-allocation failures, which allows remote attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via a crafted file, as demonstrated by an AVI file. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6825 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-6826 CVE STATUS: Patched CVE SUMMARY: The ff_rv34_decode_init_thread_copy function in libavcodec/rv34.c in FFmpeg before 2.7.2 does not initialize certain structure members, which allows remote attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via crafted (1) RV30 or (2) RV40 RealVideo data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6826 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-8216 CVE STATUS: Patched CVE SUMMARY: The ljpeg_decode_yuv_scan function in libavcodec/mjpegdec.c in FFmpeg before 2.8.2 omits certain width and height checks, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted MJPEG data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8216 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-8217 CVE STATUS: Patched CVE SUMMARY: The ff_hevc_parse_sps function in libavcodec/hevc_ps.c in FFmpeg before 2.8.2 does not validate the Chroma Format Indicator, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted High Efficiency Video Coding (HEVC) data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8217 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-8218 CVE STATUS: Patched CVE SUMMARY: The decode_uncompressed function in libavcodec/faxcompr.c in FFmpeg before 2.8.2 does not validate uncompressed runs, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted CCITT FAX data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8218 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-8219 CVE STATUS: Patched CVE SUMMARY: The init_tile function in libavcodec/jpeg2000dec.c in FFmpeg before 2.8.2 does not enforce minimum-value and maximum-value constraints on tile coordinates, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG 2000 data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8219 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-8363 CVE STATUS: Patched CVE SUMMARY: The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does not enforce uniqueness of the SIZ marker in a JPEG 2000 image, which allows remote attackers to cause a denial of service (out-of-bounds heap-memory access) or possibly have unspecified other impact via a crafted image with two or more of these markers. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8363 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-8364 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the ff_ivi_init_planes function in libavcodec/ivi.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 allows remote attackers to cause a denial of service (out-of-bounds heap-memory access) or possibly have unspecified other impact via crafted image dimensions in Indeo Video Interactive data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8364 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-8365 CVE STATUS: Patched CVE SUMMARY: The smka_decode_frame function in libavcodec/smacker.c in FFmpeg before 2.6.5, 2.7.x before 2.7.3, and 2.8.x through 2.8.2 does not verify that the data size is consistent with the number of channels, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Smacker data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8365 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-8661 CVE STATUS: Patched CVE SUMMARY: The h264_slice_header_init function in libavcodec/h264_slice.c in FFmpeg before 2.8.3 does not validate the relationship between the number of threads and the number of slices, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted H.264 data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 8.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8661 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-8662 CVE STATUS: Patched CVE SUMMARY: The ff_dwt_decode function in libavcodec/jpeg2000dwt.c in FFmpeg before 2.8.4 does not validate the number of decomposition levels before proceeding with Discrete Wavelet Transform decoding, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted JPEG 2000 data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8662 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2015-8663 CVE STATUS: Patched CVE SUMMARY: The ff_get_buffer function in libavcodec/utils.c in FFmpeg before 2.8.4 preserves width and height values after a failure, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted .mov file. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 8.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8663 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-10190 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in libavformat/http.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote web servers to execute arbitrary code via a negative chunk size in an HTTP response. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10190 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-10191 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in libavformat/rtmppkt.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote attackers to execute arbitrary code by leveraging failure to check for RTMP packet size mismatches. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10191 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-10192 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in ffserver.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote attackers to execute arbitrary code by leveraging failure to check chunk size. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10192 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-1897 CVE STATUS: Patched CVE SUMMARY: FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the concat protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains the first line of a local file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1897 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-1898 CVE STATUS: Patched CVE SUMMARY: FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the subfile protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains an arbitrary line of a local file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1898 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-2213 CVE STATUS: Patched CVE SUMMARY: The jpeg2000_decode_tile function in libavcodec/jpeg2000dec.c in FFmpeg before 2.8.6 allows remote attackers to cause a denial of service (out-of-bounds array read access) via crafted JPEG 2000 data. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2213 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-2326 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the asf_write_packet function in libavformat/asfenc.c in FFmpeg before 2.8.5 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted PTS (aka presentation timestamp) value in a .mov file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2326 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-2327 CVE STATUS: Patched CVE SUMMARY: libavcodec/pngenc.c in FFmpeg before 2.8.5 uses incorrect line sizes in certain row calculations, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted .avi file, related to the apng_encode_frame and encode_apng functions. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2327 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-2328 CVE STATUS: Patched CVE SUMMARY: libswscale/swscale_unscaled.c in FFmpeg before 2.8.6 does not validate certain height values, which allows remote attackers to cause a denial of service (out-of-bounds array read access) or possibly have unspecified other impact via a crafted .cine file, related to the bayer_to_rgb24_wrapper and bayer_to_yv12_wrapper functions. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2328 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-2329 CVE STATUS: Patched CVE SUMMARY: libavcodec/tiff.c in FFmpeg before 2.8.6 does not properly validate RowsPerStrip values and YCbCr chrominance subsampling factors, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted TIFF file, related to the tiff_decode_tag and decode_frame functions. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2329 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-2330 CVE STATUS: Patched CVE SUMMARY: libavcodec/gif.c in FFmpeg before 2.8.6 does not properly calculate a buffer size, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via a crafted .tga file, related to the gif_image_write_image, gif_encode_init, and gif_encode_close functions. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2330 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-3062 CVE STATUS: Patched CVE SUMMARY: The mov_read_dref function in libavformat/mov.c in Libav before 11.7 and FFmpeg before 0.11 allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via the entries value in a dref box in an MP4 file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3062 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-6164 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the mov_build_index function in libavformat/mov.c in FFmpeg before 2.8.8, 3.0.x before 3.0.3 and 3.1.x before 3.1.1 allows remote attackers to have unspecified impact via vectors involving sample size. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6164 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-6671 CVE STATUS: Patched CVE SUMMARY: The raw_decode function in libavcodec/rawdec.c in FFmpeg before 3.1.2 allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted SWF file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6671 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-6881 CVE STATUS: Patched CVE SUMMARY: The zlib_refill function in libavformat/swfdec.c in FFmpeg before 3.1.3 allows remote attackers to cause an infinite loop denial of service via a crafted SWF file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6881 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-6920 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the decode_block function in libavcodec/exr.c in FFmpeg before 3.1.3 allows remote attackers to cause a denial of service (application crash) via vectors involving tile positions. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6920 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-7122 CVE STATUS: Patched CVE SUMMARY: The avi_read_nikon function in libavformat/avidec.c in FFmpeg before 3.1.4 is vulnerable to infinite loop when it decodes an AVI file that has a crafted 'nctg' structure. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7122 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-7450 CVE STATUS: Patched CVE SUMMARY: The ff_log2_16bit_c function in libavutil/intmath.h in FFmpeg before 3.1.4 is vulnerable to reading out-of-bounds memory when it decodes a malformed AIFF file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7450 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-7502 CVE STATUS: Patched CVE SUMMARY: The cavs_idct8_add_c function in libavcodec/cavsdsp.c in FFmpeg before 3.1.4 is vulnerable to reading out-of-bounds memory when decoding with cavs_decode. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7502 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-7555 CVE STATUS: Patched CVE SUMMARY: The avi_read_header function in libavformat/avidec.c in FFmpeg before 3.1.4 is vulnerable to memory leak when decoding an AVI file that has a crafted "strh" structure. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7555 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-7562 CVE STATUS: Patched CVE SUMMARY: The ff_draw_pc_font function in libavcodec/cga_data.c in FFmpeg before 3.1.4 allows remote attackers to cause a denial of service (buffer overflow) via a crafted AVI file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7562 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-7785 CVE STATUS: Patched CVE SUMMARY: The avi_read_seek function in libavformat/avidec.c in FFmpeg before 3.1.4 allows remote attackers to cause a denial of service (assert fault) via a crafted AVI file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7785 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-7905 CVE STATUS: Patched CVE SUMMARY: The read_gab2_sub function in libavformat/avidec.c in FFmpeg before 3.1.4 allows remote attackers to cause a denial of service (NULL pointer used) via a crafted AVI file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7905 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-8595 CVE STATUS: Patched CVE SUMMARY: The gsm_parse function in libavcodec/gsm_parser.c in FFmpeg before 3.1.5 allows remote attackers to cause a denial of service (assert fault) via a crafted AVI file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8595 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2016-9561 CVE STATUS: Patched CVE SUMMARY: The che_configure function in libavcodec/aacdec_template.c in FFmpeg before 3.2.1 allows remote attackers to cause a denial of service (allocation of huge memory, and being killed by the OS) via a crafted MOV file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9561 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-1000460 CVE STATUS: Patched CVE SUMMARY: In line libavcodec/h264dec.c:500 in libav(v13_dev0), ffmpeg(n3.4), chromium(56 prior Feb 13, 2017), the return value of init_get_bits is ignored and get_ue_golomb(&gb) is called on an uninitialized get_bits context, which causes a NULL deref exception. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000460 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-11399 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the ape_decode_frame function in libavcodec/apedec.c in FFmpeg 2.4 through 3.3.2 allows remote attackers to cause a denial of service (out-of-array access and application crash) or possibly have unspecified other impact via a crafted APE file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11399 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-11665 CVE STATUS: Patched CVE SUMMARY: The ff_amf_get_field_value function in libavformat/rtmppkt.c in FFmpeg 3.3.2 allows remote RTMP servers to cause a denial of service (Segmentation Violation and application crash) via a crafted stream. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11665 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-11719 CVE STATUS: Patched CVE SUMMARY: The dnxhd_decode_header function in libavcodec/dnxhddec.c in FFmpeg 3.0 through 3.3.2 allows remote attackers to cause a denial of service (out-of-array access) or possibly have unspecified other impact via a crafted DNxHD file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11719 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-14054 CVE STATUS: Patched CVE SUMMARY: In libavformat/rmdec.c in FFmpeg 3.3.3, a DoS in ivr_read_header() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted IVR file, which claims a large "len" field in the header but does not contain sufficient backing data, is provided, the first type==4 loop would consume huge CPU resources, since there is no EOF check inside the loop. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14054 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-14055 CVE STATUS: Patched CVE SUMMARY: In libavformat/mvdec.c in FFmpeg 3.3.3, a DoS in mv_read_header() due to lack of an EOF (End of File) check might cause huge CPU and memory consumption. When a crafted MV file, which claims a large "nb_frames" field in the header but does not contain sufficient backing data, is provided, the loop over the frames would consume huge CPU and memory resources, since there is no EOF check inside the loop. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14055 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-14056 CVE STATUS: Patched CVE SUMMARY: In libavformat/rl2.c in FFmpeg 3.3.3, a DoS in rl2_read_header() due to lack of an EOF (End of File) check might cause huge CPU and memory consumption. When a crafted RL2 file, which claims a large "frame_count" field in the header but does not contain sufficient backing data, is provided, the loops (for offset and size tables) would consume huge CPU and memory resources, since there is no EOF check inside these loops. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14056 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-14057 CVE STATUS: Patched CVE SUMMARY: In FFmpeg 3.3.3, a DoS in asf_read_marker() due to lack of an EOF (End of File) check might cause huge CPU and memory consumption. When a crafted ASF file, which claims a large "name_len" or "count" field in the header but does not contain sufficient backing data, is provided, the loops over the name and markers would consume huge CPU and memory resources, since there is no EOF check inside these loops. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14057 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-14058 CVE STATUS: Patched CVE SUMMARY: In FFmpeg 2.4 and 3.3.3, the read_data function in libavformat/hls.c does not restrict reload attempts for an insufficient list, which allows remote attackers to cause a denial of service (infinite loop). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14058 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-14059 CVE STATUS: Patched CVE SUMMARY: In FFmpeg 3.3.3, a DoS in cine_read_header() due to lack of an EOF check might cause huge CPU and memory consumption. When a crafted CINE file, which claims a large "duration" field in the header but does not contain sufficient backing data, is provided, the image-offset parsing loop would consume huge CPU and memory resources, since there is no EOF check inside the loop. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14059 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-14169 CVE STATUS: Patched CVE SUMMARY: In the mxf_read_primer_pack function in libavformat/mxfdec.c in FFmpeg 3.3.3 -> 2.4, an integer signedness error might occur when a crafted file, which claims a large "item_num" field such as 0xffffffff, is provided. As a result, the variable "item_num" turns negative, bypassing the check for a large value. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14169 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-14170 CVE STATUS: Patched CVE SUMMARY: In libavformat/mxfdec.c in FFmpeg 3.3.3 -> 2.4, a DoS in mxf_read_index_entry_array() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted MXF file, which claims a large "nb_index_entries" field in the header but does not contain sufficient backing data, is provided, the loop would consume huge CPU resources, since there is no EOF check inside the loop. Moreover, this big loop can be invoked multiple times if there is more than one applicable data segment in the crafted MXF file. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14170 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-14171 CVE STATUS: Patched CVE SUMMARY: In libavformat/nsvdec.c in FFmpeg 2.4 and 3.3.3, a DoS in nsv_parse_NSVf_header() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted NSV file, which claims a large "table_entries_used" field in the header but does not contain sufficient backing data, is provided, the loop over 'table_entries_used' would consume huge CPU resources, since there is no EOF check inside the loop. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14171 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-14222 CVE STATUS: Patched CVE SUMMARY: In libavformat/mov.c in FFmpeg 3.3.3, a DoS in read_tfra() due to lack of an EOF (End of File) check might cause huge CPU and memory consumption. When a crafted MOV file, which claims a large "item_count" field in the header but does not contain sufficient backing data, is provided, the loop would consume huge CPU and memory resources, since there is no EOF check inside the loop. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14222 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-14223 CVE STATUS: Patched CVE SUMMARY: In libavformat/asfdec_f.c in FFmpeg 3.3.3, a DoS in asf_build_simple_index() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted ASF file, which claims a large "ict" field in the header but does not contain sufficient backing data, is provided, the for loop would consume huge CPU and memory resources, since there is no EOF check inside the loop. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14223 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-14225 CVE STATUS: Patched CVE SUMMARY: The av_color_primaries_name function in libavutil/pixdesc.c in FFmpeg 3.3.3 may return a NULL pointer depending on a value contained in a file, but callers do not anticipate this, as demonstrated by the avcodec_string function in libavcodec/utils.c, leading to a NULL pointer dereference. (It is also conceivable that there is security relevance for a NULL pointer dereference in av_color_primaries_name calls within the ffprobe command-line program.) CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14225 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-14767 CVE STATUS: Patched CVE SUMMARY: The sdp_parse_fmtp_config_h264 function in libavformat/rtpdec_h264.c in FFmpeg before 3.3.4 mishandles empty sprop-parameter-sets values, which allows remote attackers to cause a denial of service (heap buffer overflow) or possibly have unspecified other impact via a crafted sdp file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14767 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-15186 CVE STATUS: Patched CVE SUMMARY: Double free vulnerability in FFmpeg 3.3.4 and earlier allows remote attackers to cause a denial of service via a crafted AVI file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15186 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-15672 CVE STATUS: Patched CVE SUMMARY: The read_header function in libavcodec/ffv1dec.c in FFmpeg 2.4 and 3.3.4 and possibly earlier allows remote attackers to have unspecified impact via a crafted MP4 file, which triggers an out-of-bounds read. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15672 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-16840 CVE STATUS: Patched CVE SUMMARY: The VC-2 Video Compression encoder in FFmpeg 3.0 and 3.4 allows remote attackers to cause a denial of service (out-of-bounds read) because of incorrect buffer padding for non-Haar wavelets, related to libavcodec/vc2enc.c and libavcodec/vc2enc_dwt.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16840 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-17081 CVE STATUS: Patched CVE SUMMARY: The gmc_mmx function in libavcodec/x86/mpegvideodsp.c in FFmpeg 2.3 and 3.4 does not properly validate widths and heights, which allows remote attackers to cause a denial of service (integer signedness error and out-of-array read) via a crafted MPEG file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17081 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-17555 CVE STATUS: Patched CVE SUMMARY: The swri_audio_convert function in audioconvert.c in FFmpeg libswresample through 3.0.101, as used in FFmpeg 3.4.1, aubio 0.4.6, and other products, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted audio file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17555 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-7859 CVE STATUS: Patched CVE SUMMARY: FFmpeg before 2017-03-05 has an out-of-bounds write caused by a heap-based buffer overflow related to the ff_h264_slice_context_init function in libavcodec/h264dec.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7859 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-7862 CVE STATUS: Patched CVE SUMMARY: FFmpeg before 2017-02-07 has an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame function in libavcodec/pictordec.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7862 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-7863 CVE STATUS: Patched CVE SUMMARY: FFmpeg before 2017-02-04 has an out-of-bounds write caused by a heap-based buffer overflow related to the decode_frame_common function in libavcodec/pngdec.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7863 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-7865 CVE STATUS: Patched CVE SUMMARY: FFmpeg before 2017-01-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the ipvideo_decode_block_opcode_0xA function in libavcodec/interplayvideo.c and the avcodec_align_dimensions2 function in libavcodec/utils.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7865 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-7866 CVE STATUS: Patched CVE SUMMARY: FFmpeg before 2017-01-23 has an out-of-bounds write caused by a stack-based buffer overflow related to the decode_zbuf function in libavcodec/pngdec.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7866 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-9608 CVE STATUS: Patched CVE SUMMARY: The dnxhd decoder in FFmpeg before 3.2.6, and 3.3.x before 3.3.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted mov file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9608 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-9990 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the color_string_to_rgba function in libavcodec/xpmdec.c in FFmpeg 3.3 before 3.3.1 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9990 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-9991 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the xwd_decode_frame function in libavcodec/xwddec.c in FFmpeg before 2.8.12, 3.0.x before 3.0.8, 3.1.x before 3.1.8, 3.2.x before 3.2.5, and 3.3.x before 3.3.1 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9991 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-9992 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the decode_dds1 function in libavcodec/dfa.c in FFmpeg before 2.8.12, 3.0.x before 3.0.8, 3.1.x before 3.1.8, 3.2.x before 3.2.5, and 3.3.x before 3.3.1 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9992 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-9993 CVE STATUS: Patched CVE SUMMARY: FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9993 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-9994 CVE STATUS: Patched CVE SUMMARY: libavcodec/webp.c in FFmpeg before 2.8.12, 3.0.x before 3.0.8, 3.1.x before 3.1.8, 3.2.x before 3.2.5, and 3.3.x before 3.3.1 does not ensure that pix_fmt is set, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file, related to the vp8_decode_mb_row_no_filter and pred8x8_128_dc_8_c functions. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9994 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-9995 CVE STATUS: Patched CVE SUMMARY: libavcodec/scpr.c in FFmpeg 3.3 before 3.3.1 does not properly validate height and width data, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9995 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2017-9996 CVE STATUS: Patched CVE SUMMARY: The cdxl_decode_frame function in libavcodec/cdxl.c in FFmpeg 2.8.x before 2.8.12, 3.0.x before 3.0.8, 3.1.x before 3.1.8, 3.2.x before 3.2.5, and 3.3.x before 3.3.1 does not exclude the CHUNKY format, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9996 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-10001 CVE STATUS: Patched CVE SUMMARY: The decode_init function in libavcodec/utvideodec.c in FFmpeg through 3.4.2 allows remote attackers to cause a denial of service (out of array read) via an AVI file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10001 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-12458 CVE STATUS: Patched CVE SUMMARY: An improper integer type in the mpeg4_encode_gop_header function in libavcodec/mpeg4videoenc.c in FFmpeg 2.8 and 4.0 may trigger an assertion violation while converting a crafted AVI file to MPEG4, leading to a denial of service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12458 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-12459 CVE STATUS: Patched CVE SUMMARY: An inconsistent bits-per-sample value in the ff_mpeg4_decode_picture_header function in libavcodec/mpeg4videodec.c in FFmpeg 4.0 may trigger an assertion violation while converting a crafted AVI file to MPEG4, leading to a denial of service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12459 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-12460 CVE STATUS: Patched CVE SUMMARY: libavcodec in FFmpeg 4.0 may trigger a NULL pointer dereference if the studio profile is incorrectly detected while converting a crafted AVI file to MPEG4, leading to a denial of service, related to idctdsp.c and mpegvideo.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12460 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-13300 CVE STATUS: Patched CVE SUMMARY: In FFmpeg 3.2 and 4.0.1, an improper argument (AVCodecParameters) passed to the avpriv_request_sample function in the handle_eac3 function in libavformat/movenc.c may trigger an out-of-array read while converting a crafted AVI file to MPEG4, leading to a denial of service and possibly an information disclosure. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13300 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-13301 CVE STATUS: Patched CVE SUMMARY: In FFmpeg 4.0.1, due to a missing check of a profile value before setting it, the ff_mpeg4_decode_picture_header function in libavcodec/mpeg4videodec.c may trigger a NULL pointer dereference while converting a crafted AVI file to MPEG4, leading to a denial of service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13301 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-13302 CVE STATUS: Patched CVE SUMMARY: In FFmpeg 4.0.1, improper handling of frame types (other than EAC3_FRAME_TYPE_INDEPENDENT) that have multiple independent substreams in the handle_eac3 function in libavformat/movenc.c may trigger an out-of-array access while converting a crafted AVI file to MPEG4, leading to a denial of service or possibly unspecified other impact. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13302 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-13303 CVE STATUS: Patched CVE SUMMARY: In FFmpeg 4.0.1, a missing check for failure of a call to init_get_bits8() in the avpriv_ac3_parse_header function in libavcodec/ac3_parser.c may trigger a NULL pointer dereference while converting a crafted AVI file to MPEG4, leading to a denial of service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13303 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-13304 CVE STATUS: Patched CVE SUMMARY: In libavcodec in FFmpeg 4.0.1, improper maintenance of the consistency between the context profile field and studio_profile in libavcodec may trigger an assertion failure while converting a crafted AVI file to MPEG4, leading to a denial of service, related to error_resilience.c, h263dec.c, and mpeg4videodec.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13304 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-13305 CVE STATUS: Patched CVE SUMMARY: In FFmpeg 4.0.1, due to a missing check for negative values of the mquant variable, the vc1_put_blocks_clamped function in libavcodec/vc1_block.c may trigger an out-of-array access while converting a crafted AVI file to MPEG4, leading to an information disclosure or a denial of service. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-13305 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-14394 CVE STATUS: Patched CVE SUMMARY: libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a denial of service (application crash caused by a divide-by-zero error) with a user crafted Waveform audio file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14394 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-14395 CVE STATUS: Patched CVE SUMMARY: libavformat/movenc.c in FFmpeg 3.2 and 4.0.2 allows attackers to cause a denial of service (application crash caused by a divide-by-zero error) with a user crafted audio file when converting to the MOV audio format. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14395 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-15822 CVE STATUS: Patched CVE SUMMARY: The flv_write_packet function in libavformat/flvenc.c in FFmpeg through 2.8 does not check for an empty audio packet, leading to an assertion failure. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15822 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-1999010 CVE STATUS: Patched CVE SUMMARY: FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains multiple out of array access vulnerabilities in the mms protocol that can result in attackers accessing out of bound data. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in cced03dd667a5df6df8fd40d8de0bff477ee02e8 and later. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1999010 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-1999011 CVE STATUS: Patched CVE SUMMARY: FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains a Buffer Overflow vulnerability in asf_o format demuxer that can result in heap-buffer-overflow that may result in remote code execution. This attack appears to be exploitable via specially crafted ASF file that has to be provided as input to FFmpeg. This vulnerability appears to have been fixed in 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 and later. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1999011 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-1999012 CVE STATUS: Patched CVE SUMMARY: FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a Vulnerability that allows attackers to consume excessive amount of resources like CPU and RAM. This attack appear to be exploitable via specially crafted PVA file has to be provided as input. This vulnerability appears to have been fixed in 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 and later. CVSS v2 BASE SCORE: 7.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1999012 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-1999013 CVE STATUS: Patched CVE SUMMARY: FFmpeg before commit a7e032a277452366771951e29fd0bf2bd5c029f0 contains a use-after-free vulnerability in the realmedia demuxer that can result in vulnerability allows attacker to read heap memory. This attack appear to be exploitable via specially crafted RM file has to be provided as input. This vulnerability appears to have been fixed in a7e032a277452366771951e29fd0bf2bd5c029f0 and later. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1999013 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-1999014 CVE STATUS: Patched CVE SUMMARY: FFmpeg before commit bab0716c7f4793ec42e05a5aa7e80d82a0dd4e75 contains an out of array access vulnerability in MXF format demuxer that can result in DoS. This attack appear to be exploitable via specially crafted MXF file which has to be provided as input. This vulnerability appears to have been fixed in bab0716c7f4793ec42e05a5aa7e80d82a0dd4e75 and later. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1999014 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-1999015 CVE STATUS: Patched CVE SUMMARY: FFmpeg before commit 5aba5b89d0b1d73164d3b81764828bb8b20ff32a contains an out of array read vulnerability in ASF_F format demuxer that can result in heap memory reading. This attack appear to be exploitable via specially crafted ASF file that has to provided as input. This vulnerability appears to have been fixed in 5aba5b89d0b1d73164d3b81764828bb8b20ff32a and later. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1999015 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-6392 CVE STATUS: Patched CVE SUMMARY: The filter_slice function in libavfilter/vf_transpose.c in FFmpeg through 3.4.1 allows remote attackers to cause a denial of service (out-of-array access) via a crafted MP4 file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6392 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-6621 CVE STATUS: Patched CVE SUMMARY: The decode_frame function in libavcodec/utvideodec.c in FFmpeg through 3.2 allows remote attackers to cause a denial of service (out of array read) via a crafted AVI file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6621 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-6912 CVE STATUS: Patched CVE SUMMARY: The decode_plane function in libavcodec/utvideodec.c in FFmpeg through 3.4.2 allows remote attackers to cause a denial of service (out of array read) via a crafted AVI file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6912 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-7557 CVE STATUS: Patched CVE SUMMARY: The decode_init function in libavcodec/utvideodec.c in FFmpeg 2.8 through 3.4.2 allows remote attackers to cause a denial of service (Out of array read) via an AVI file with crafted dimensions within chroma subsampling data. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7557 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-7751 CVE STATUS: Patched CVE SUMMARY: The svg_probe function in libavformat/img2dec.c in FFmpeg through 3.4.2 allows remote attackers to cause a denial of service (Infinite Loop) via a crafted XML file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7751 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2018-9841 CVE STATUS: Patched CVE SUMMARY: The export function in libavfilter/vf_signature.c in FFmpeg through 3.4.2 allows remote attackers to cause a denial of service (out-of-array access) or possibly have unspecified other impact via a long filename. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-9841 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2019-1000016 CVE STATUS: Patched CVE SUMMARY: FFMPEG version 4.1 contains a CWE-129: Improper Validation of Array Index vulnerability in libavcodec/cbs_av1.c that can result in Denial of service. This attack appears to be exploitable via specially crafted AV1 file has to be provided as input. This vulnerability appears to have been fixed in after commit b97a4b658814b2de8b9f2a3bce491c002d34de31. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-1000016 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2019-11338 CVE STATUS: Patched CVE SUMMARY: libavcodec/hevcdec.c in FFmpeg 3.4 and 4.1.2 mishandles detection of duplicate first slices, which allows remote attackers to cause a denial of service (NULL pointer dereference and out-of-array access) or possibly have unspecified other impact via crafted HEVC data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11338 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2019-11339 CVE STATUS: Patched CVE SUMMARY: The studio profile decoder in libavcodec/mpeg4videodec.c in FFmpeg 4.0 before 4.0.4 and 4.1 before 4.1.2 allows remote attackers to cause a denial of service (out-of-array access) or possibly have unspecified other impact via crafted MPEG-4 video data. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11339 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2019-12730 CVE STATUS: Patched CVE SUMMARY: aa_read_header in libavformat/aadec.c in FFmpeg before 3.2.14 and 4.x before 4.1.4 does not check for sscanf failure and consequently allows use of uninitialized variables. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12730 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2019-13312 CVE STATUS: Patched CVE SUMMARY: block_cmp() in libavcodec/zmbvenc.c in FFmpeg 4.1.3 has a heap-based buffer over-read. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13312 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2019-13390 CVE STATUS: Patched CVE SUMMARY: In FFmpeg 4.1.3, there is a division by zero at adx_write_trailer in libavformat/rawenc.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13390 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2019-15942 CVE STATUS: Patched CVE SUMMARY: FFmpeg through 4.2 has a "Conditional jump or move depends on uninitialised value" issue in h2645_parse because alloc_rbsp_buffer in libavcodec/h2645_parse.c mishandles rbsp_buffer. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15942 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2019-17539 CVE STATUS: Patched CVE SUMMARY: In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL pointer dereference and possibly unspecified other impact when there is no valid close function pointer. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17539 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2019-17542 CVE STATUS: Patched CVE SUMMARY: FFmpeg before 4.2 has a heap-based buffer overflow in vqa_decode_chunk because of an out-of-array access in vqa_decode_init in libavcodec/vqavideo.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17542 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2019-9718 CVE STATUS: Patched CVE SUMMARY: In FFmpeg 3.2 and 4.1, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because ff_htmlmarkup_to_ass in libavcodec/htmlsubtitles.c has a complex format argument to sscanf. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9718 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2019-9721 CVE STATUS: Patched CVE SUMMARY: A denial of service in the subtitle decoder in FFmpeg 3.2 and 4.1 allows attackers to hog the CPU via a crafted video file in Matroska format, because handle_open_brace in libavcodec/htmlsubtitles.c has a complex format argument to sscanf. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9721 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-12284 CVE STATUS: Patched CVE SUMMARY: cbs_jpeg_split_fragment in libavcodec/cbs_jpeg.c in FFmpeg 4.1 and 4.2.2 has a heap-based buffer overflow during JPEG_MARKER_SOS handling because of a missing length check. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12284 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-13904 CVE STATUS: Patched CVE SUMMARY: FFmpeg 2.8 and 4.2.3 has a use-after-free via a crafted EXTINF duration in an m3u8 file because parse_playlist in libavformat/hls.c frees a pointer, and later that pointer is accessed in av_probe_input_format3 in libavformat/format.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13904 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-14212 CVE STATUS: Patched CVE SUMMARY: FFmpeg through 4.3 has a heap-based buffer overflow in avio_get_str in libavformat/aviobuf.c because dnn_backend_native.c calls ff_dnn_load_model_native and a certain index check is omitted. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14212 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-20445 CVE STATUS: Patched CVE SUMMARY: FFmpeg 4.2 is affected by a Divide By Zero issue via libavcodec/lpc.h, which allows a remote malicious user to cause a Denial of Service. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-20445 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-20446 CVE STATUS: Patched CVE SUMMARY: FFmpeg 4.2 is affected by a Divide By Zero issue via libavcodec/aacpsy.c, which allows a remote malicious user to cause a Denial of Service. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-20446 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-20448 CVE STATUS: Patched CVE SUMMARY: FFmpeg 4.1.3 is affected by a Divide By Zero issue via libavcodec/ratecontrol.c, which allows a remote malicious user to cause a Denial of Service. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-20448 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-20450 CVE STATUS: Patched CVE SUMMARY: FFmpeg 4.2 is affected by null pointer dereference passed as argument to libavformat/aviobuf.c, which could cause a Denial of Service. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-20450 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-20451 CVE STATUS: Patched CVE SUMMARY: Denial of Service issue in FFmpeg 4.2 due to resource management errors via fftools/cmdutils.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-20451 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-20453 CVE STATUS: Patched CVE SUMMARY: FFmpeg 4.2 is affected by a Divide By Zero issue via libavcodec/aaccoder, which allows a remote malicious user to cause a Denial of Service CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-20453 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-20891 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in function config_input in libavfilter/vf_gblur.c in Ffmpeg 4.2.1, allows attackers to cause a Denial of Service or other unspecified impacts. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-20891 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-20892 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in function filter_frame in libavfilter/vf_lenscorrection.c in Ffmpeg 4.2.1, allows attackers to cause a Denial of Service or other unspecified impacts due to a division by zero. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-20892 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-20896 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in function latm_write_packet in libavformat/latmenc.c in Ffmpeg 4.2.1, allows attackers to cause a Denial of Service or other unspecified impacts due to a Null pointer dereference. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-20896 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-20898 CVE STATUS: Patched CVE SUMMARY: Integer Overflow vulnerability in function filter16_prewitt in libavfilter/vf_convolution.c in Ffmpeg 4.2.1, allows attackers to cause a Denial of Service or other unspecified impacts. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-20898 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-20902 CVE STATUS: Patched CVE SUMMARY: A CWE-125: Out-of-bounds read vulnerability exists in long_term_filter function in g729postfilter.c in FFmpeg 4.2.1 during computation of the denominator of pseudo-normalized correlation R'(0), that could result in disclosure of information. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-20902 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-21041 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability exists in FFmpeg 4.1 via apng_do_inverse_blend in libavcodec/pngenc.c, which could let a remote malicious user cause a Denial of Service CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21041 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-21688 CVE STATUS: Patched CVE SUMMARY: A heap-use-after-free in the av_freep function in libavutil/mem.c of FFmpeg 4.2 allows attackers to execute arbitrary code. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21688 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-21697 CVE STATUS: Patched CVE SUMMARY: A heap-use-after-free in the mpeg_mux_write_packet function in libavformat/mpegenc.c of FFmpeg 4.2 allows to cause a denial of service (DOS) via a crafted avi file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21697 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22015 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in FFmpeg 4.2 in mov_write_video_tag due to the out of bounds in libavformat/movenc.c, which could let a remote malicious user obtain sensitive information, cause a Denial of Service, or execute arbitrary code. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22015 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22016 CVE STATUS: Patched CVE SUMMARY: A heap-based Buffer Overflow vulnerability in FFmpeg 4.2 at libavcodec/get_bits.h when writing .mov files, which might lead to memory corruption and other potential consequences. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22016 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22017 CVE STATUS: Patched CVE SUMMARY: A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 at ff_fill_rectangle in libavfilter/drawutils.c, which might lead to memory corruption and other potential consequences. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22017 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22019 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in FFmpeg 4.2 at convolution_y_10bit in libavfilter/vf_vmafmotion.c, which could let a remote malicious user cause a Denial of Service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22019 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22020 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in FFmpeg 4.2 in the build_diff_map function in libavfilter/vf_fieldmatch.c, which could let a remote malicious user cause a Denial of Service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22020 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22021 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in FFmpeg 4.2 at filter_edges function in libavfilter/vf_yadif.c, which could let a remote malicious user cause a Denial of Service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22021 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22022 CVE STATUS: Patched CVE SUMMARY: A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 in filter_frame at libavfilter/vf_fieldorder.c, which might lead to memory corruption and other potential consequences. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22022 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22023 CVE STATUS: Patched CVE SUMMARY: A heap-based Buffer Overflow vulnerabililty exists in FFmpeg 4.2 in filter_frame at libavfilter/vf_bitplanenoise.c, which might lead to memory corruption and other potential consequences. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22023 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22024 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in FFmpeg 4.2 at the lagfun_frame16 function in libavfilter/vf_lagfun.c, which could let a remote malicious user cause Denial of Service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22024 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22025 CVE STATUS: Patched CVE SUMMARY: A heap-based Buffer Overflow vulnerability exists in gaussian_blur at libavfilter/vf_edgedetect.c, which might lead to memory corruption and other potential consequences. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22025 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22026 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability exists in FFmpeg 4.2 in the config_input function at libavfilter/af_tremolo.c, which could let a remote malicious user cause a Denial of Service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22026 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22027 CVE STATUS: Patched CVE SUMMARY: A heap-based Buffer Overflow vulnerability exits in FFmpeg 4.2 in deflate16 at libavfilter/vf_neighbor.c, which might lead to memory corruption and other potential consequences. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22027 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22028 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability exists in FFmpeg 4.2 in filter_vertically_8 at libavfilter/vf_avgblur.c, which could cause a remote Denial of Service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22028 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22029 CVE STATUS: Patched CVE SUMMARY: A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 at libavfilter/vf_colorconstancy.c: in slice_get_derivative, which crossfade_samples_fltp, which might lead to memory corruption and other potential consequences. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22029 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22030 CVE STATUS: Patched CVE SUMMARY: A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 at libavfilter/af_afade.c in crossfade_samples_fltp, which might lead to memory corruption and other potential consequences. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22030 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22031 CVE STATUS: Patched CVE SUMMARY: A Heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 at libavfilter/vf_w3fdif.c in filter16_complex_low, which might lead to memory corruption and other potential consequences. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22031 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22032 CVE STATUS: Patched CVE SUMMARY: A heap-based Buffer Overflow vulnerability exists FFmpeg 4.2 at libavfilter/vf_edgedetect.c in gaussian_blur, which might lead to memory corruption and other potential consequences. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22032 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22033 CVE STATUS: Patched CVE SUMMARY: A heap-based Buffer Overflow Vulnerability exists FFmpeg 4.2 at libavfilter/vf_vmafmotion.c in convolution_y_8bit, which could let a remote malicious user cause a Denial of Service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22033 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22034 CVE STATUS: Patched CVE SUMMARY: A heap-based Buffer Overflow vulnerability exists FFmpeg 4.2 at libavfilter/vf_floodfill.c, which might lead to memory corruption and other potential consequences. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22034 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22035 CVE STATUS: Patched CVE SUMMARY: A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 in get_block_row at libavfilter/vf_bm3d.c, which might lead to memory corruption and other potential consequences. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22035 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22036 CVE STATUS: Patched CVE SUMMARY: A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 in filter_intra at libavfilter/vf_bwdif.c, which might lead to memory corruption and other potential consequences. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22036 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22037 CVE STATUS: Patched CVE SUMMARY: A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in avcodec_alloc_context3 at options.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22037 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22038 CVE STATUS: Patched CVE SUMMARY: A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the ff_v4l2_m2m_create_context function in v4l2_m2m.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22038 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22039 CVE STATUS: Patched CVE SUMMARY: A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the inavi_add_ientry function. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22039 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22040 CVE STATUS: Patched CVE SUMMARY: A Denial of Service vulnerability exists in FFmpeg 4.2 idue to a memory leak in the v_frame_alloc function in frame.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22040 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22041 CVE STATUS: Patched CVE SUMMARY: A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the av_buffersrc_add_frame_flags function in buffersrc. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22041 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22042 CVE STATUS: Patched CVE SUMMARY: A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak is affected by: memory leak in the link_filter_inouts function in libavfilter/graphparser.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22042 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22043 CVE STATUS: Patched CVE SUMMARY: A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak at the fifo_alloc_common function in libavutil/fifo.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22043 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22044 CVE STATUS: Patched CVE SUMMARY: A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the url_open_dyn_buf_internal function in libavformat/aviobuf.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22044 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22046 CVE STATUS: Patched CVE SUMMARY: A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the avpriv_float_dsp_allocl function in libavutil/float_dsp.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22046 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22048 CVE STATUS: Patched CVE SUMMARY: A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the ff_frame_pool_get function in framepool.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22048 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22049 CVE STATUS: Patched CVE SUMMARY: A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the wtvfile_open_sector function in wtvdec.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22049 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22051 CVE STATUS: Patched CVE SUMMARY: A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the filter_frame function in vf_tile.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22051 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22054 CVE STATUS: Patched CVE SUMMARY: A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the av_dict_set function in dict.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22054 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-22056 CVE STATUS: Patched CVE SUMMARY: A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the config_input function in af_acrossover.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-22056 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-23906 CVE STATUS: Patched CVE SUMMARY: FFmpeg N-98388-g76a3ee996b allows attackers to cause a denial of service (DoS) via a crafted audio file due to insufficient verification of data authenticity. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-23906 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-24020 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in FFMpeg 4.2.3 in dnn_execute_layer_pad in libavfilter/dnn/dnn_backend_native_layer_pad.c due to a call to memcpy without length checks, which could let a remote malicious user execute arbitrary code. CVSS v2 BASE SCORE: 6.5 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24020 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-24995 CVE STATUS: Patched CVE SUMMARY: Buffer overflow vulnerability in sniff_channel_order function in aacdec_template.c in ffmpeg 3.1.2, allows attackers to execute arbitrary code (local). CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24995 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-35964 CVE STATUS: Patched CVE SUMMARY: track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out-of-bounds write because of incorrect extradata packing. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35964 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-35965 CVE STATUS: Patched CVE SUMMARY: decode_frame in libavcodec/exr.c in FFmpeg 4.3.1 has an out-of-bounds write because of errors in calculations of when to perform memset zero operations. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35965 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2020-36138 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in decode_frame in libavcodec/tiff.c in FFmpeg version 4.3, allows remote attackers to cause a denial of service (DoS). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36138 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2021-28429 CVE STATUS: Patched CVE SUMMARY: Integer overflow vulnerability in av_timecode_make_string in libavutil/timecode.c in FFmpeg version 4.3.2, allows local attackers to cause a denial of service (DoS) via crafted .mov file. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28429 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2021-30123 CVE STATUS: Patched CVE SUMMARY: FFmpeg <=4.3 contains a buffer overflow vulnerability in libavcodec through a crafted file that may lead to remote code execution. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-30123 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2021-33815 CVE STATUS: Patched CVE SUMMARY: dwa_uncompress in libavcodec/exr.c in FFmpeg 4.4 allows an out-of-bounds array access because dc_count is not strictly checked. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33815 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2021-3566 CVE STATUS: Patched CVE SUMMARY: Prior to ffmpeg version 4.3, the tty demuxer did not have a 'read_probe' function assigned to it. By crafting a legitimate "ffconcat" file that references an image, followed by a file the triggers the tty demuxer, the contents of the second file will be copied into the output file verbatim (as long as the `-vcodec copy` option is passed to ffmpeg). CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3566 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2021-38090 CVE STATUS: Patched CVE SUMMARY: Integer Overflow vulnerability in function filter16_roberts in libavfilter/vf_convolution.c in Ffmpeg 4.2.1, allows attackers to cause a Denial of Service or other unspecified impacts. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38090 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2021-38091 CVE STATUS: Patched CVE SUMMARY: Integer Overflow vulnerability in function filter16_sobel in libavfilter/vf_convolution.c in Ffmpeg 4.2.1, allows attackers to cause a Denial of Service or other unspecified impacts. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38091 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2021-38092 CVE STATUS: Patched CVE SUMMARY: Integer Overflow vulnerability in function filter_prewitt in libavfilter/vf_convolution.c in Ffmpeg 4.2.1, allows attackers to cause a Denial of Service or other unspecified impacts. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38092 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2021-38093 CVE STATUS: Patched CVE SUMMARY: Integer Overflow vulnerability in function filter_robert in libavfilter/vf_convolution.c in Ffmpeg 4.2.1, allows attackers to cause a Denial of Service or other unspecified impacts. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38093 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2021-38094 CVE STATUS: Patched CVE SUMMARY: Integer Overflow vulnerability in function filter_sobel in libavfilter/vf_convolution.c in Ffmpeg 4.2.1, allows attackers to cause a Denial of Service or other unspecified impacts. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38094 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2021-38114 CVE STATUS: Patched CVE SUMMARY: libavcodec/dnxhddec.c in FFmpeg 4.4 does not check the return value of the init_vlc function, a similar issue to CVE-2013-0868. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38114 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2021-38171 CVE STATUS: Patched CVE SUMMARY: adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38171 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2021-38291 CVE STATUS: Patched CVE SUMMARY: FFmpeg version (git commit de8e6e67e7523e48bb27ac224a0b446df05e1640) suffers from a an assertion failure at src/libavutil/mathematics.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38291 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2022-1475 CVE STATUS: Patched CVE SUMMARY: An integer overflow vulnerability was found in FFmpeg versions before 4.4.2 and before 5.0.1 in g729_parse() in llibavcodec/g729_parser.c when processing a specially crafted file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1475 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2022-2566 CVE STATUS: Patched CVE SUMMARY: A heap out-of-bounds memory write exists in FFMPEG since version 5.1. The size calculation in `build_open_gop_key_points()` goes through all entries in the loop and adds `sc->ctts_data[i].count` to `sc->sample_offsets_count`. This can lead to an integer overflow resulting in a small allocation with `av_calloc()`. An attacker can cause remote code execution via a malicious mp4 file. We recommend upgrading past commit c953baa084607dd1d84c3bfcce3cf6a87c3e6e05 CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2566 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2022-3109 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause a null pointer dereference, impacting availability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3109 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2022-3341 CVE STATUS: Patched CVE SUMMARY: A null pointer dereference issue was discovered in 'FFmpeg' in decode_main_header() function of libavformat/nutdec.c file. The flaw occurs because the function lacks check of the return value of avformat_new_stream() and triggers the null pointer dereference error, causing an application to crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3341 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2022-3964 CVE STATUS: Patched CVE SUMMARY: A vulnerability classified as problematic has been found in ffmpeg. This affects an unknown part of the file libavcodec/rpzaenc.c of the component QuickTime RPZA Video Encoder. The manipulation of the argument y_size leads to out-of-bounds read. It is possible to initiate the attack remotely. The name of the patch is 92f9b28ed84a77138105475beba16c146bdaf984. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-213543. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3964 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2022-3965 CVE STATUS: Patched CVE SUMMARY: A vulnerability classified as problematic was found in ffmpeg. This vulnerability affects the function smc_encode_stream of the file libavcodec/smcenc.c of the component QuickTime Graphics Video Encoder. The manipulation of the argument y_size leads to out-of-bounds read. The attack can be initiated remotely. The name of the patch is 13c13109759090b7f7182480d075e13b36ed8edd. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-213544. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3965 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2022-48434 CVE STATUS: Patched CVE SUMMARY: libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-48434 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-46407 CVE STATUS: Patched CVE SUMMARY: FFmpeg prior to commit bf814 was discovered to contain an out of bounds read via the dist->alphabet_size variable in the read_vlc_prefix() function. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-46407 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-47470 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in Ffmpeg before github commit 4565747056a11356210ed8edcecb920105e40b60 allows a remote attacker to achieve an out-of-array write, execute arbitrary code, and cause a denial of service (DoS) via the ref_pic_list_struct function in libavcodec/evc_ps.c CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-47470 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-49501 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the config_eq_output function in the libavfilter/asrc_afirsrc.c:495:30 component. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-49501 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-49502 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: these CVEs are fixed in 6.1.x CVE SUMMARY: Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the ff_bwdif_filter_intra_c function in the libavfilter/bwdifdsp.c:125:5 component. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-49502 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-49528 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in FFmpeg version n6.1-3-g466799d4f5, allows a local attacker to execute arbitrary code and cause a denial of service (DoS) via the af_dialoguenhance.c:261:5 in the de_stereo component. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-49528 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-50007 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: these CVEs are fixed in 6.1.x CVE SUMMARY: FFmpeg v.n6.1-3-g466799d4f5 allows an attacker to trigger use of a parameter of negative size in the av_samples_set_silence function in thelibavutil/samplefmt.c:260:9 component. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-50007 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-50008 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: these CVEs are fixed in 6.1.x CVE SUMMARY: FFmpeg v.n6.1-3-g466799d4f5 allows memory consumption when using the colorcorrect filter, in the av_malloc function in libavutil/mem.c:105:9 component. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-50008 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-50009 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: these CVEs are fixed in 6.1.x CVE SUMMARY: FFmpeg v.n6.1-3-g466799d4f5 allows a heap-based buffer overflow via the ff_gaussian_blur_8 function in libavfilter/edge_template.c:116:5 component. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-50009 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-50010 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: these CVEs are fixed in 6.1.x CVE SUMMARY: FFmpeg v.n6.1-3-g466799d4f5 allows a buffer over-read at ff_gradfun_blur_line_movdqa_sse2, as demonstrated by a call to the set_encoder_id function in /fftools/ffmpeg_enc.c component. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-50010 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-51791 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulenrability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavcodec/jpegxl_parser.c in gen_alias_map. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51791 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-51793 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavutil/imgutils.c:353:9 in image_copy_plane. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51793 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-51794 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavfilter/af_stereowiden.c:120:69. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51794 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-51795 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavfilter/avf_showspectrum.c:1789:52 component in showspectrumpic_request_frame CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51795 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-51796 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavfilter/f_reverse.c:269:26 in areverse_request_frame. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51796 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-51797 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavfilter/avf_showwaves.c:722:24 in showwaves_filter_frame CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51797 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-51798 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via a floating point exception (FPE) error at libavfilter/vf_minterpolate.c:1078:60 in interpolate. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51798 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-6601 CVE STATUS: Patched CVE SUMMARY: A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows bypassing unsafe file extension checks and triggering arbitrary demuxers via base64-encoded data URIs appended with specific file extensions. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6601 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-6602 CVE STATUS: Patched CVE SUMMARY: A flaw was found in FFmpeg's TTY Demuxer. This vulnerability allows possible data exfiltration via improper parsing of non-TTY-compliant input files in HLS playlists. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6602 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-6603 CVE STATUS: Patched CVE SUMMARY: A flaw was found in FFmpeg's HLS playlist parsing. This vulnerability allows a denial of service via a maliciously crafted HLS playlist that triggers a null pointer dereference during initialization. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6603 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-6604 CVE STATUS: Patched CVE SUMMARY: A flaw was found in FFmpeg. This vulnerability allows unexpected additional CPU load and storage consumption, potentially leading to degraded performance or denial of service via the demuxing of arbitrary data as XBIN-formatted data without proper format validation. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6604 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2023-6605 CVE STATUS: Patched CVE SUMMARY: A flaw was found in FFmpeg's DASH playlist support. This vulnerability allows arbitrary HTTP GET requests to be made on behalf of the machine running FFmpeg via a crafted DASH playlist containing malicious URLs. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.2 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6605 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-22860 CVE STATUS: Patched CVE SUMMARY: Integer overflow vulnerability in FFmpeg before n6.1, allows remote attackers to execute arbitrary code via the jpegxl_anim_read_packet component in the JPEG XL Animation decoder. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-22860 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-22861 CVE STATUS: Patched CVE SUMMARY: Integer overflow vulnerability in FFmpeg before n6.1, allows attackers to cause a denial of service (DoS) via the avcodec/osq module. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-22861 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-22862 CVE STATUS: Patched CVE SUMMARY: Integer overflow vulnerability in FFmpeg before n6.1, allows remote attackers to execute arbitrary code via the JJPEG XL Parser. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-22862 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-31578 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: these CVEs are fixed in 6.1.x CVE SUMMARY: FFmpeg version n6.1.1 was discovered to contain a heap use-after-free via the av_hwframe_ctx_init function. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-31578 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-31581 CVE STATUS: Patched CVE SUMMARY: FFmpeg version n6.1 was discovered to contain an improper validation of array index vulnerability in libavcodec/cbs_h266_syntax_template.c. This vulnerability allows attackers to cause undefined behavior within the application. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-31581 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-31582 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: these CVEs are fixed in 6.1.x CVE SUMMARY: FFmpeg version n6.1 was discovered to contain a heap buffer overflow vulnerability in the draw_block_rectangle function of libavfilter/vf_codecview.c. This vulnerability allows attackers to cause undefined behavior or a Denial of Service (DoS) via crafted input. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-31582 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-31585 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: these CVEs are fixed in 6.1.x CVE SUMMARY: FFmpeg version n5.1 to n6.1 was discovered to contain an Off-by-one Error vulnerability in libavfilter/avf_showspectrum.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-31585 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-32228 CVE STATUS: Patched CVE SUMMARY: FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a SEGV at libavcodec/hevcdec.c:2947:22 in hevc_frame_end. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32228 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-32229 CVE STATUS: Patched CVE SUMMARY: FFmpeg 7.0 contains a heap-buffer-overflow at libavfilter/vf_tiltandshift.c:189:5 in copy_column. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32229 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-32230 CVE STATUS: Patched CVE SUMMARY: FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0 CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-32230 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-35365 CVE STATUS: Patched CVE SUMMARY: FFmpeg version n6.1.1 has a double-free vulnerability in the fftools/ffmpeg_mux_init.c component of FFmpeg, specifically within the new_stream_audio function. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-35365 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-35366 CVE STATUS: Patched CVE SUMMARY: FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options function of sbgdec.c within the libavformat module. When parsing certain options, the software does not adequately validate the input. This allows for negative duration values to be accepted without proper bounds checking. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-35366 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-35367 CVE STATUS: Patched CVE SUMMARY: FFmpeg n6.1.1 has an Out-of-bounds Read via libavcodec/ppc/vp8dsp_altivec.c, static const vec_s8 h_subpel_filters_outer CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-35367 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-35368 CVE STATUS: Patched CVE SUMMARY: FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame function within libavcodec/rkmppdec.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-35368 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-35369 CVE STATUS: Patched CVE SUMMARY: In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module, a potential security vulnerability exists due to insufficient validation of certain parameters when parsing Speex codec extradata. This vulnerability could lead to integer overflow conditions, potentially resulting in undefined behavior or crashes during the decoding process. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-35369 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-36613 CVE STATUS: Patched CVE SUMMARY: FFmpeg n6.1.1 has a vulnerability in the DXA demuxer of the libavformat library allowing for an integer overflow, potentially resulting in a denial-of-service (DoS) condition or other undefined behavior. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36613 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-36615 CVE STATUS: Patched CVE SUMMARY: FFmpeg n7.0 has a race condition vulnerability in the VP9 decoder. This could lead to a data race if video encoding parameters were being exported, as the side data would be attached in the decoder thread while being read in the output thread. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36615 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-36616 CVE STATUS: Patched CVE SUMMARY: An integer overflow in the component /libavformat/westwood_vqa.c of FFmpeg n6.1.1 allows attackers to cause a denial of service in the application via a crafted VQA file. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36616 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-36617 CVE STATUS: Patched CVE SUMMARY: FFmpeg n6.1.1 has an integer overflow vulnerability in the FFmpeg CAF decoder. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36617 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-36618 CVE STATUS: Patched CVE SUMMARY: FFmpeg n6.1.1 has a vulnerability in the AVI demuxer of the libavformat library which allows for an integer overflow, potentially resulting in a denial-of-service (DoS) condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36618 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-36619 CVE STATUS: Patched CVE SUMMARY: FFmpeg n6.1.1 has a vulnerability in the WAVARC decoder of the libavcodec library which allows for an integer overflow when handling certain block types, leading to a denial-of-service (DoS) condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36619 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-55069 CVE STATUS: Patched CVE SUMMARY: ffmpeg 7.1 is vulnerable to Null Pointer Dereference in function iamf_read_header in /libavformat/iamfdec.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-55069 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-7055 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in FFmpeg up to 7.0.1. It has been classified as critical. This affects the function pnm_decode_frame in the library /libavcodec/pnmdec.c. The manipulation leads to heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0.2 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-273651. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 6.9 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7055 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2024-7272 CVE STATUS: Patched CVE SUMMARY: A vulnerability, which was classified as critical, was found in FFmpeg up to 5.1.5. This affects the function fill_audiodata of the file /libswresample/swresample.c. The manipulation leads to heap-based buffer overflow. It is possible to initiate the attack remotely. This issue was fixed in version 6.0 by 9903ba28c28ab18dc7b7b6fb8571cc8b5caae1a6 but a backport for 5.1 was forgotten. The exploit has been disclosed to the public and may be used. Upgrading to version 5.1.6 and 6.0 9903ba28c28ab18dc7b7b6fb8571cc8b5caae1a6 is able to address this issue. It is recommended to upgrade the affected component. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 6.9 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-7272 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2025-0518 CVE STATUS: Patched CVE SUMMARY: Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg allows Read Sensitive Constants Within an Executable. This vulnerability is associated with program files https://github.Com/FFmpeg/FFmpeg/blob/master/libavfilter/af_pan.C . This issue affects FFmpeg: 7.1. Issue was fixed:  https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a This issue was discovered by: Simcha Kosman CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 4.8 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-0518 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2025-10256 CVE STATUS: Unpatched CVE SUMMARY: A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer filter (libavfilter/af_firequalizer.c) due to a missing check on the return value of av_malloc_array() in the config_input() function. An attacker could exploit this by tricking a victim into processing a crafted media file with the Firequalizer filter enabled, causing the application to dereference a NULL pointer and crash, leading to denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-10256 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2025-12343 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in FFmpeg’s TensorFlow backend within the libavfilter/dnn_backend_tf.c source file. The issue occurs in the dnn_execute_model_tf() function, where a task object is freed multiple times in certain error-handling paths. This redundant memory deallocation can lead to a double-free condition, potentially causing FFmpeg or any application using it to crash when processing TensorFlow-based DNN models. This results in a denial-of-service scenario but does not allow arbitrary code execution under normal conditions. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-12343 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2025-1373 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: Vulnerable code not present in any release CVE SUMMARY: A vulnerability was found in FFmpeg up to 7.1. It has been rated as problematic. Affected by this issue is the function mov_read_trak of the file libavformat/mov.c of the component MOV Parser. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The patch is identified as 43be8d07281caca2e88bfd8ee2333633e1fb1a13. It is recommended to apply a patch to fix this issue. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 4.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-1373 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2025-1594 CVE STATUS: Unpatched CVE SUMMARY: A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1. This affects the function ff_aac_search_for_tns of the file libavcodec/aacenc_tns.c of the component AAC Encoder. The manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 5.3 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-1594 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2025-22921 CVE STATUS: Patched CVE SUMMARY: FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/jpeg2000dec.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-22921 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2025-25468 CVE STATUS: Unpatched CVE SUMMARY: FFmpeg git-master before commit d5873b was discovered to contain a memory leak in the component libavutil/mem.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-25468 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2025-25469 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: Current version (6.1.4) is not impacted. CVE SUMMARY: FFmpeg git-master before commit d5873b was discovered to contain a memory leak in the component libavutil/iamf.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-25469 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2025-25473 CVE STATUS: Patched CVE SUMMARY: FFmpeg git master before commit c08d30 was discovered to contain a memory leak in the avformat_free_context function in libavutil/mem.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-25473 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2025-63757 CVE STATUS: Patched CVE SUMMARY: Integer overflow vulnerability in the yuv2ya16_X_c_template function in libswscale/output.c in FFmpeg 8.0. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-63757 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2025-69693 CVE STATUS: Patched CVE SUMMARY: Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60dec.c). The quantization parameter (qp) validation at line 2267 only checks the lower bound (qp < 0) but is missing upper bound validation. The qp value can reach 65 (base value 63 from 6-bit frame header + offset +2 from read_qp_offset) while the rv60_qp_to_idx array has size 64 (valid indices 0-63). This results in out-of-bounds array access at lines 1554 (decode_cbp8), 1655 (decode_cbp16), and 1419/1421 (get_c4x4_set), potentially leading to memory disclosure or crash. A previous fix in commit 61cbcaf93f added validation only for intra frames. This vulnerability affects the released versions 8.0 (released 2025-08-22) and 8.0.1 (released 2025-11-20) and is fixed in git master commit 8abeb879df which will be included in FFmpeg 8.1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-69693 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2026-30997 CVE STATUS: Unpatched CVE SUMMARY: An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-30997 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2026-30998 CVE STATUS: Unpatched CVE SUMMARY: An improper resource deallocation and closure vulnerability in the tools/zmqsend.c component of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input file. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-30998 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2026-30999 CVE STATUS: Unpatched CVE SUMMARY: A heap buffer overflow in the av_bprint_finalize() function of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-30999 LAYER: meta PACKAGE NAME: ffmpeg PACKAGE VERSION: 6.1.4 CVE: CVE-2026-40962 CVE STATUS: Unpatched CVE SUMMARY: FFmpeg before 8.1 has an integer overflow and resultant out-of-bounds write via CENC (Common Encryption) subsample data to libavformat/mov.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-40962 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2006-0747 CVE STATUS: Patched CVE SUMMARY: Integer underflow in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0747 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2006-1861 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. NOTE: item 4 was originally identified by CVE-2006-2493. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1861 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2006-2661 CVE STATUS: Patched CVE SUMMARY: ftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file that triggers a null dereference. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-2661 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2006-3467 CVE STATUS: Patched CVE SUMMARY: Integer overflow in FreeType before 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PCF file, as demonstrated by the Red Hat bad1.pcf test file, due to a partial fix of CVE-2006-1861. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-3467 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2007-2754 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2754 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2007-3506 CVE STATUS: Patched CVE SUMMARY: The ft_bitmap_assure_buffer function in src/base/ftbimap.c in FreeType 2.3.3 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors involving bitmap fonts, related to a "memory buffer overwrite bug." CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3506 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2008-1806 CVE STATUS: Patched CVE SUMMARY: Integer overflow in FreeType2 before 2.3.6 allows context-dependent attackers to execute arbitrary code via a crafted set of 16-bit length values within the Private dictionary table in a Printer Font Binary (PFB) file, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1806 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2008-1807 CVE STATUS: Patched CVE SUMMARY: FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via an invalid "number of axes" field in a Printer Font Binary (PFB) file, which triggers a free of arbitrary memory locations, leading to memory corruption. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1807 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2008-1808 CVE STATUS: Patched CVE SUMMARY: Multiple off-by-one errors in FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via (1) a crafted table in a Printer Font Binary (PFB) file or (2) a crafted SHC instruction in a TrueType Font (TTF) file, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1808 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2009-0946 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0946 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2010-2497 CVE STATUS: Patched CVE SUMMARY: Integer underflow in glyph handling in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2497 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2010-2498 CVE STATUS: Patched CVE SUMMARY: The psh_glyph_find_strong_points function in pshinter/pshalgo.c in FreeType before 2.4.0 does not properly implement hinting masks, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted font file that triggers an invalid free operation. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2498 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2010-2499 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted LaserWriter PS font file with an embedded PFB fragment. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2499 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2010-2500 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the gray_render_span function in smooth/ftgrays.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2500 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2010-2519 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted length value in a POST fragment header in a font file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2519 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2010-2520 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the Ins_IUP function in truetype/ttinterp.c in FreeType before 2.4.0, when TrueType bytecode support is enabled, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2520 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2010-2527 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in demo programs in FreeType before 2.4.0 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2527 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2010-2541 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in ftmulti.c in the ftmulti demo program in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2541 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2010-2805 CVE STATUS: Patched CVE SUMMARY: The FT_Stream_EnterFrame function in base/ftstream.c in FreeType before 2.4.2 does not properly validate certain position values, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2805 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2010-2806 CVE STATUS: Patched CVE SUMMARY: Array index error in the t42_parse_sfnts function in type42/t42parse.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via negative size values for certain strings in FontType42 font files, leading to a heap-based buffer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2806 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2010-2807 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.4.2 uses incorrect integer data types during bounds checking, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2807 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2010-2808 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Adobe Type 1 Mac Font File (aka LWFN) font. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2808 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2010-3053 CVE STATUS: Patched CVE SUMMARY: bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) via a crafted BDF font file, related to an attempted modification of a value in a static string. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3053 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2010-3054 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in FreeType 2.3.9, and other versions before 2.4.2, allows remote attackers to cause a denial of service via vectors involving nested Standard Encoding Accented Character (aka seac) calls, related to psaux.h, cffgload.c, cffgload.h, and t1decode.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3054 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2010-3311 CVE STATUS: Patched CVE SUMMARY: Integer overflow in base/ftstream.c in libXft (aka the X FreeType library) in FreeType before 2.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Compact Font Format (CFF) font file that triggers a heap-based buffer overflow, related to an "input stream position error" issue, a different vulnerability than CVE-2010-1797. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3311 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2010-3814 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the Ins_SHZ function in ttinterp.c in FreeType 2.4.3 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted SHZ bytecode instruction, related to TrueType opcodes, as demonstrated by a PDF document with a crafted embedded font. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3814 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2010-3855 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the ft_var_readpackedpoints function in truetype/ttgxvar.c in FreeType 2.4.3 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TrueType GX font. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-3855 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2011-0226 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in psaux/t1decode.c in FreeType before 2.4.6, as used in CoreGraphics in Apple iOS before 4.2.9 and 4.3.x before 4.3.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Type 1 font in a PDF document, as exploited in the wild in July 2011. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0226 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2011-2895 CVE STATUS: Patched CVE SUMMARY: The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2895 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-1126 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a BDF font. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1126 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-1127 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1127 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-1128 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (NULL pointer dereference and memory corruption) or possibly execute arbitrary code via a crafted TrueType font. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1128 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-1129 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted SFNT string in a Type 42 font. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1129 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-1130 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a PCF font. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1130 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-1131 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, on 64-bit platforms allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors related to the cell table of a font. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1131 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-1132 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted dictionary data in a Type 1 font. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1132 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-1133 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1133 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-1134 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted private-dictionary data in a Type 1 font. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1134 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-1135 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors involving the NPUSHB and NPUSHW instructions in a TrueType font. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1135 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-1136 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font that lacks an ENCODING field. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1136 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-1137 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted header in a BDF font. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1137 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-1138 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors involving the MIRP instruction in a TrueType font. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1138 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-1139 CVE STATUS: Patched CVE SUMMARY: Array index error in FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid stack read operation and memory corruption) or possibly execute arbitrary code via crafted glyph data in a BDF font. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1139 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-1140 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted PostScript font object. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1140 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-1141 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted ASCII string in a BDF font. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1141 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-1142 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph-outline data in a font. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1142 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-1143 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted font. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1143 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-1144 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via a crafted TrueType font. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1144 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-5668 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to BDF fonts and the improper handling of an "allocation error" in the bdf_free_font function. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5668 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-5669 CVE STATUS: Patched CVE SUMMARY: The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to BDF fonts and an incorrect calculation that triggers an out-of-bounds read. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5669 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2012-5670 CVE STATUS: Patched CVE SUMMARY: The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) via vectors related to BDF fonts and an ENCODING field with a negative value. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5670 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-2240 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the cf2_hintmap_build function in cff/cf2hints.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of stem hints in a font file. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2240 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-2241 CVE STATUS: Patched CVE SUMMARY: The (1) cf2_initLocalRegionBuffer and (2) cf2_initGlobalRegionBuffer functions in cff/cf2ft.c in FreeType before 2.5.3 do not properly check if a subroutine exists, which allows remote attackers to cause a denial of service (assertion failure), as demonstrated by a crafted ttf file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2241 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9656 CVE STATUS: Patched CVE SUMMARY: The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType before 2.5.4 does not properly check for an integer overflow, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted OpenType font. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9656 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9657 CVE STATUS: Patched CVE SUMMARY: The tt_face_load_hdmx function in truetype/ttpload.c in FreeType before 2.5.4 does not establish a minimum record size, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9657 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9658 CVE STATUS: Patched CVE SUMMARY: The tt_face_load_kern function in sfnt/ttkern.c in FreeType before 2.5.4 enforces an incorrect minimum table length, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted TrueType font. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9658 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9659 CVE STATUS: Patched CVE SUMMARY: cff/cf2intrp.c in the CFF CharString interpreter in FreeType before 2.5.4 proceeds with additional hints after the hint mask has been computed, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted OpenType font. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2240. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9659 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9660 CVE STATUS: Patched CVE SUMMARY: The _bdf_parse_glyphs function in bdf/bdflib.c in FreeType before 2.5.4 does not properly handle a missing ENDCHAR record, which allows remote attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted BDF font. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9660 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9661 CVE STATUS: Patched CVE SUMMARY: type42/t42parse.c in FreeType before 2.5.4 does not consider that scanning can be incomplete without triggering an error, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted Type42 font. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9661 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9662 CVE STATUS: Patched CVE SUMMARY: cff/cf2ft.c in FreeType before 2.5.4 does not validate the return values of point-allocation functions, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted OTF font. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9662 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9663 CVE STATUS: Patched CVE SUMMARY: The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before 2.5.4 validates a certain length field before that field's value is completely calculated, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted cmap SFNT table. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9663 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9664 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.5.4 does not check for the end of the data during certain parsing actions, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted Type42 font, related to type42/t42parse.c and type1/t1load.c. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9664 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9665 CVE STATUS: Patched CVE SUMMARY: The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4 does not restrict the rows and pitch values of PNG data, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact by embedding a PNG file in a .ttf font file. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9665 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9666 CVE STATUS: Patched CVE SUMMARY: The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before 2.5.4 proceeds with a count-to-size association without restricting the count value, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted embedded bitmap. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9666 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9667 CVE STATUS: Patched CVE SUMMARY: sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting the values, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted SFNT table. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9667 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9668 CVE STATUS: Patched CVE SUMMARY: The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting length values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Web Open Font Format (WOFF) file. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9668 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9669 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in sfnt/ttcmap.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (out-of-bounds read or memory corruption) or possibly have unspecified other impact via a crafted cmap SFNT table. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9669 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9670 CVE STATUS: Patched CVE SUMMARY: Multiple integer signedness errors in the pcf_get_encodings function in pcf/pcfread.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (integer overflow, NULL pointer dereference, and application crash) via a crafted PCF file that specifies negative values for the first column and first row. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9670 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9671 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the pcf_get_properties function in pcf/pcfread.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PCF file with a 0xffffffff size value that is improperly incremented. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9671 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9672 CVE STATUS: Patched CVE SUMMARY: Array index error in the parse_fond function in base/ftmac.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information from process memory via a crafted FOND resource in a Mac font file. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9672 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9673 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9673 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9674 CVE STATUS: Patched CVE SUMMARY: The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 proceeds with adding to length values without validating the original values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9674 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9675 CVE STATUS: Patched CVE SUMMARY: bdf/bdflib.c in FreeType before 2.5.4 identifies property names by only verifying that an initial substring is present, which allows remote attackers to discover heap pointer values and bypass the ASLR protection mechanism via a crafted BDF font. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9675 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9745 CVE STATUS: Patched CVE SUMMARY: The parse_encoding function in type1/t1load.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (infinite loop) via a "broken number-with-base" in a Postscript stream, as demonstrated by 8#garbage. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9745 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9746 CVE STATUS: Patched CVE SUMMARY: The (1) t1_parse_font_matrix function in type1/t1load.c, (2) cid_parse_font_matrix function in cid/cidload.c, (3) t42_parse_font_matrix function in type42/t42parse.c, and (4) ps_parser_load_field function in psaux/psobjs.c in FreeType before 2.5.4 do not check return values, which allows remote attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted font. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9746 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2014-9747 CVE STATUS: Patched CVE SUMMARY: The t42_parse_encoding function in type42/t42parse.c in FreeType before 2.5.4 does not properly update the current position for immediates-only mode, which allows remote attackers to cause a denial of service (infinite loop) via a Type42 font. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9747 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2015-9290 CVE STATUS: Patched CVE SUMMARY: In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c on function T1_Get_Private_Dict where there is no check that the new values of cur and limit are sensible before going to Again. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9290 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2015-9381 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.6.1 has a heap-based buffer over-read in T1_Get_Private_Dict in type1/t1parse.c. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9381 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2015-9382 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9382 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2015-9383 CVE STATUS: Patched CVE SUMMARY: FreeType before 2.6.2 has a heap-based buffer over-read in tt_cmap14_validate in sfnt/ttcmap.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9383 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2016-10244 CVE STATUS: Patched CVE SUMMARY: The parse_charstrings function in type1/t1load.c in FreeType 2 before 2.7 does not ensure that a font contains a glyph name, which allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10244 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2016-10328 CVE STATUS: Patched CVE SUMMARY: FreeType 2 before 2016-12-16 has an out-of-bounds write caused by a heap-based buffer overflow related to the cff_parser_run function in cff/cffparse.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10328 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2017-7857 CVE STATUS: Patched CVE SUMMARY: FreeType 2 before 2017-03-08 has an out-of-bounds write caused by a heap-based buffer overflow related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7857 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2017-7858 CVE STATUS: Patched CVE SUMMARY: FreeType 2 before 2017-03-07 has an out-of-bounds write related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7858 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2017-7864 CVE STATUS: Patched CVE SUMMARY: FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a heap-based buffer overflow related to the tt_size_reset function in truetype/ttobjs.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7864 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2017-8105 CVE STATUS: Patched CVE SUMMARY: FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8105 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2017-8287 CVE STATUS: Patched CVE SUMMARY: FreeType 2 before 2017-03-26 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_builder_close_contour function in psaux/psobjs.c. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8287 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2018-6942 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in FreeType 2 through 2.9. A NULL pointer dereference in the Ins_GETVARIATION() function within ttinterp.c could lead to DoS via a crafted font file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6942 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2020-15999 CVE STATUS: Patched CVE SUMMARY: Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 9.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15999 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2022-27404 CVE STATUS: Patched CVE SUMMARY: FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27404 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2022-27405 CVE STATUS: Patched CVE SUMMARY: FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27405 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2022-27406 CVE STATUS: Patched CVE SUMMARY: FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27406 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2025-23022 CVE STATUS: Patched CVE SUMMARY: FreeType 2.8.1 has a signed integer overflow in cf2_doFlex in cff/cf2intrp.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-23022 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2025-27363 CVE STATUS: Patched CVE SUMMARY: An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-27363 LAYER: meta PACKAGE NAME: freetype PACKAGE VERSION: 2.13.2 CVE: CVE-2026-23865 CVE STATUS: Unpatched CVE SUMMARY: An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-23865 LAYER: meta-ros2-jazzy PACKAGE NAME: cyclonedds PACKAGE VERSION: 0.10.5-1 CVE: CVE-2021-38441 CVE STATUS: Patched CVE SUMMARY: Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 6.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38441 LAYER: meta-ros2-jazzy PACKAGE NAME: cyclonedds PACKAGE VERSION: 0.10.5-1 CVE: CVE-2021-38443 CVE STATUS: Patched CVE SUMMARY: Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid structures, which may allow an attacker to write arbitrary values in the XML parser. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 6.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38443 LAYER: meta-oe PACKAGE NAME: faad2 PACKAGE VERSION: 2.11.1+git CVE: CVE-2008-4201 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the decodeMP4file function (frontend/main.c) in FAAD2 2.6.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MPEG-4 (MP4) file. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4201 LAYER: meta-oe PACKAGE NAME: faad2 PACKAGE VERSION: 2.11.1+git CVE: CVE-2021-26567 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options. CVSS v2 BASE SCORE: 6.5 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-26567 LAYER: meta-oe PACKAGE NAME: faad2 PACKAGE VERSION: 2.11.1+git CVE: CVE-2021-32272 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in faad2 before 2.10.0. A heap-buffer-overflow exists in the function stszin located in mp4read.c. It allows an attacker to cause Code Execution. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-32272 LAYER: meta-oe PACKAGE NAME: faad2 PACKAGE VERSION: 2.11.1+git CVE: CVE-2021-32273 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in faad2 through 2.10.0. A stack-buffer-overflow exists in the function ftypin located in mp4read.c. It allows an attacker to cause Code Execution. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-32273 LAYER: meta-oe PACKAGE NAME: faad2 PACKAGE VERSION: 2.11.1+git CVE: CVE-2021-32274 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in faad2 through 2.10.0. A heap-buffer-overflow exists in the function sbr_qmf_synthesis_64 located in sbr_qmf.c. It allows an attacker to cause code Execution. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-32274 LAYER: meta-oe PACKAGE NAME: faad2 PACKAGE VERSION: 2.11.1+git CVE: CVE-2021-32276 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in faad2 through 2.10.0. A NULL pointer dereference exists in the function get_sample() located in output.c. It allows an attacker to cause Denial of Service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-32276 LAYER: meta-oe PACKAGE NAME: faad2 PACKAGE VERSION: 2.11.1+git CVE: CVE-2021-32277 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in faad2 through 2.10.0. A heap-buffer-overflow exists in the function sbr_qmf_analysis_32 located in sbr_qmf.c. It allows an attacker to cause code Execution. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-32277 LAYER: meta-oe PACKAGE NAME: faad2 PACKAGE VERSION: 2.11.1+git CVE: CVE-2021-32278 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in faad2 through 2.10.0. A heap-buffer-overflow exists in the function lt_prediction located in lt_predict.c. It allows an attacker to cause code Execution. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-32278 LAYER: meta-oe PACKAGE NAME: faad2 PACKAGE VERSION: 2.11.1+git CVE: CVE-2023-38857 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote attacker to execute arbitrary code and cause a denial of service via the stcoin function in mp4read.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38857 LAYER: meta-oe PACKAGE NAME: faad2 PACKAGE VERSION: 2.11.1+git CVE: CVE-2023-38858 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability infaad2 v.2.10.1 allows a remote attacker to execute arbitrary code and cause a denial of service via the mp4info function in mp4read.c:1039. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38858 LAYER: meta PACKAGE NAME: serf PACKAGE VERSION: 1.3.10 CVE: CVE-2014-3504 CVE STATUS: Patched CVE SUMMARY: The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3504 LAYER: meta-oe PACKAGE NAME: libvpx PACKAGE VERSION: 1.14.1 CVE: CVE-2010-4203 CVE STATUS: Patched CVE SUMMARY: WebM libvpx (aka the VP8 Codec SDK) before 0.9.5, as used in Google Chrome before 7.0.517.44, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via invalid frames. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4203 LAYER: meta-oe PACKAGE NAME: libvpx PACKAGE VERSION: 1.14.1 CVE: CVE-2012-0823 CVE STATUS: Patched CVE SUMMARY: VP8 Codec SDK (libvpx) before 1.0.0 "Duclair" allows remote attackers to cause a denial of service (application crash) via (1) unspecified "corrupt input" or (2) by "starting decoding from a P-frame," which triggers an out-of-bounds read, related to "the clamping of motion vectors in SPLITMV blocks". CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0823 LAYER: meta-oe PACKAGE NAME: libvpx PACKAGE VERSION: 1.14.1 CVE: CVE-2023-44488 CVE STATUS: Patched CVE SUMMARY: VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-44488 LAYER: meta-oe PACKAGE NAME: libvpx PACKAGE VERSION: 1.14.1 CVE: CVE-2023-5217 CVE STATUS: Patched CVE SUMMARY: Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5217 LAYER: meta-oe PACKAGE NAME: libvpx PACKAGE VERSION: 1.14.1 CVE: CVE-2023-6349 CVE STATUS: Patched CVE SUMMARY: A heap overflow vulnerability exists in libvpx - Encoding a frame that has larger dimensions than the originally configured size with VP9 may result in a heap overflow in libvpx. We recommend upgrading to version 1.13.1 or above CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 5.7 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6349 LAYER: meta-oe PACKAGE NAME: libvpx PACKAGE VERSION: 1.14.1 CVE: CVE-2024-5197 CVE STATUS: Patched CVE SUMMARY: There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. We recommend upgrading to version 1.14.1 or beyond CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 5.9 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-5197 LAYER: meta PACKAGE NAME: rpcbind PACKAGE VERSION: 1.2.6 CVE: CVE-2010-2061 CVE STATUS: Patched CVE SUMMARY: rpcbind 0.2.0 does not properly validate (1) /tmp/portmap.xdr and (2) /tmp/rpcbind.xdr, which can be created by an attacker before the daemon is started. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2061 LAYER: meta PACKAGE NAME: rpcbind PACKAGE VERSION: 1.2.6 CVE: CVE-2010-2064 CVE STATUS: Patched CVE SUMMARY: rpcbind 0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /tmp/portmap.xdr and (2) /tmp/rpcbind.xdr. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2064 LAYER: meta PACKAGE NAME: rpcbind PACKAGE VERSION: 1.2.6 CVE: CVE-2015-7236 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via crafted packets, involving a PMAP_CALLIT code. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7236 LAYER: meta PACKAGE NAME: rpcbind PACKAGE VERSION: 1.2.6 CVE: CVE-2017-8779 CVE STATUS: Patched CVE SUMMARY: rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no subsequent free) via a crafted UDP packet to port 111, aka rpcbomb. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8779 LAYER: meta PACKAGE NAME: gcc-runtime PACKAGE VERSION: 13.4.0 CVE: CVE-1999-1439 CVE STATUS: Patched CVE SUMMARY: gcc 2.7.2 allows local users to overwrite arbitrary files via a symlink attack on temporary .i, .s, or .o files. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1439 LAYER: meta PACKAGE NAME: gcc-runtime PACKAGE VERSION: 13.4.0 CVE: CVE-2000-1219 CVE STATUS: Patched CVE SUMMARY: The -ftrapv compiler option in gcc and g++ 3.3.3 and earlier does not handle all types of integer overflows, which may leave applications vulnerable to vulnerabilities related to overflows. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-1219 LAYER: meta PACKAGE NAME: gcc-runtime PACKAGE VERSION: 13.4.0 CVE: CVE-2002-2439 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-2439 LAYER: meta PACKAGE NAME: gcc-runtime PACKAGE VERSION: 13.4.0 CVE: CVE-2006-1902 CVE STATUS: Patched CVE SUMMARY: fold_binary in fold-const.c in GNU Compiler Collection (gcc) 4.1 improperly handles pointer overflow when folding a certain expr comparison to a corresponding offset comparison in cases other than EQ_EXPR and NE_EXPR, which might introduce buffer overflow vulnerabilities into applications that could be exploited by context-dependent attackers.NOTE: the vendor states that the essence of the issue is "not correctly interpreting an offset to a pointer as a signed value." CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-1902 LAYER: meta PACKAGE NAME: gcc-runtime PACKAGE VERSION: 13.4.0 CVE: CVE-2008-1367 CVE STATUS: Patched CVE SUMMARY: gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1367 LAYER: meta PACKAGE NAME: gcc-runtime PACKAGE VERSION: 13.4.0 CVE: CVE-2008-1685 CVE STATUS: Patched CVE SUMMARY: gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999) CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1685 LAYER: meta PACKAGE NAME: gcc-runtime PACKAGE VERSION: 13.4.0 CVE: CVE-2013-4598 CVE STATUS: Patched CVE SUMMARY: The Groups, Communities and Co (GCC) module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permission, which allows remote attackers to access the configuration pages via unspecified vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4598 LAYER: meta PACKAGE NAME: gcc-runtime PACKAGE VERSION: 13.4.0 CVE: CVE-2015-5276 CVE STATUS: Patched CVE SUMMARY: The std::random_device class in libstdc++ in the GNU Compiler Collection (aka GCC) before 4.9.4 does not properly handle short reads from blocking sources, which makes it easier for context-dependent attackers to predict the random values via unspecified vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5276 LAYER: meta PACKAGE NAME: gcc-runtime PACKAGE VERSION: 13.4.0 CVE: CVE-2017-11671 CVE STATUS: Patched CVE SUMMARY: Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11671 LAYER: meta PACKAGE NAME: gcc-runtime PACKAGE VERSION: 13.4.0 CVE: CVE-2018-12886 CVE STATUS: Patched CVE SUMMARY: stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12886 LAYER: meta PACKAGE NAME: gcc-runtime PACKAGE VERSION: 13.4.0 CVE: CVE-2019-15847 CVE STATUS: Patched CVE SUMMARY: The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15847 LAYER: meta PACKAGE NAME: gcc-runtime PACKAGE VERSION: 13.4.0 CVE: CVE-2021-37322 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: Is a binutils 2.26 issue, not gcc CVE SUMMARY: GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-37322 LAYER: meta PACKAGE NAME: gcc-runtime PACKAGE VERSION: 13.4.0 CVE: CVE-2021-3826 CVE STATUS: Patched CVE SUMMARY: Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3826 LAYER: meta PACKAGE NAME: gcc-runtime PACKAGE VERSION: 13.4.0 CVE: CVE-2021-46195 CVE STATUS: Patched CVE SUMMARY: GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46195 LAYER: meta PACKAGE NAME: gcc-runtime PACKAGE VERSION: 13.4.0 CVE: CVE-2022-27943 CVE STATUS: Patched CVE SUMMARY: libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27943 LAYER: meta PACKAGE NAME: gcc-runtime PACKAGE VERSION: 13.4.0 CVE: CVE-2023-4039 CVE STATUS: Patched CVE DETAIL: fixed-version CVE DESCRIPTION: Fixed via CVE-2023-4039.patch included here. Set the status explictly to deal with all recipes that share the gcc-source CVE SUMMARY: **DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4039 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2000-0963 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in ncurses library allows local users to execute arbitrary commands via long environmental information such as TERM or TERMINFO_DIRS. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0963 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2002-0062 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in ncurses 5.0, and the ncurses4 compatibility package as used in Red Hat Linux, allows local users to gain privileges, related to "routines for moving the physical cursor and scrolling." CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0062 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2017-10684 CVE STATUS: Patched CVE SUMMARY: In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10684 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2017-10685 CVE STATUS: Patched CVE SUMMARY: In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10685 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2017-11112 CVE STATUS: Patched CVE SUMMARY: In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11112 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2017-11113 CVE STATUS: Patched CVE SUMMARY: In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11113 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2017-13728 CVE STATUS: Patched CVE SUMMARY: There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13728 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2017-13729 CVE STATUS: Patched CVE SUMMARY: There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13729 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2017-13730 CVE STATUS: Patched CVE SUMMARY: There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13730 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2017-13731 CVE STATUS: Patched CVE SUMMARY: There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13731 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2017-13732 CVE STATUS: Patched CVE SUMMARY: There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13732 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2017-13733 CVE STATUS: Patched CVE SUMMARY: There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13733 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2017-13734 CVE STATUS: Patched CVE SUMMARY: There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13734 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2017-16879 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16879 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2018-19211 CVE STATUS: Patched CVE SUMMARY: In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a "dubious character `*' in name or alias field" detection. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19211 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2018-19217 CVE STATUS: Patched CVE SUMMARY: In ncurses, possibly a 6.x version, there is a NULL pointer dereference at the function _nc_name_match that will lead to a denial of service attack. NOTE: the original report stated version 6.1, but the issue did not reproduce for that version according to the maintainer or a reliable third-party CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19217 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2019-15547 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the ncurses crate through 5.99.0 for Rust. There are format string issues in printw functions because C format arguments are mishandled. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15547 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2019-15548 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the ncurses crate through 5.99.0 for Rust. There are instr and mvwinstr buffer overflows because interaction with C functions is mishandled. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15548 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2019-17594 CVE STATUS: Patched CVE SUMMARY: There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17594 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2019-17595 CVE STATUS: Patched CVE SUMMARY: There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 5.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17595 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2020-19185 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in one_one_mapping function in progs/dump_entry.c:1373 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19185 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2020-19186 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in _nc_find_entry function in tinfo/comp_hash.c:66 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19186 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2020-19187 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1100 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19187 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2020-19188 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1116 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19188 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2020-19189 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in postprocess_terminfo function in tinfo/parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19189 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2020-19190 CVE STATUS: Patched CVE SUMMARY: Buffer Overflow vulnerability in _nc_find_entry in tinfo/comp_hash.c:70 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-19190 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2021-39537 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-39537 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2022-29458 CVE STATUS: Patched CVE SUMMARY: ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29458 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2023-29491 CVE STATUS: Patched CVE SUMMARY: ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29491 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2023-50495 CVE STATUS: Patched CVE SUMMARY: NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry(). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-50495 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2025-6141 CVE STATUS: Patched CVE SUMMARY: A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component. CVSS v2 BASE SCORE: 1.7 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 4.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-6141 LAYER: meta PACKAGE NAME: ncurses PACKAGE VERSION: 6.4 CVE: CVE-2025-69720 CVE STATUS: Unpatched CVE SUMMARY: The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-69720 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2012-2666 CVE STATUS: Patched CVE SUMMARY: golang/go in 1.0.2 fixes all.bash on shared machines. dotest() in src/pkg/debug/gosym/pclntab_test.go creates a temporary file with predicable name and executes it as shell script. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2666 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2014-7189 CVE STATUS: Patched CVE SUMMARY: crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enabled, allows man-in-the-middle attackers to spoof clients via unspecified vectors. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7189 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2015-5739 CVE STATUS: Patched CVE SUMMARY: The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length." CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5739 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2015-5740 CVE STATUS: Patched CVE SUMMARY: The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two Content-length headers. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5740 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2015-5741 CVE STATUS: Patched CVE SUMMARY: The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5741 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2015-8618 CVE STATUS: Patched CVE SUMMARY: The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect output, which makes it easier for attackers to obtain private RSA keys via unspecified vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8618 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2016-3958 CVE STATUS: Patched CVE SUMMARY: Untrusted search path vulnerability in Go before 1.5.4 and 1.6.x before 1.6.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, related to use of the LoadLibrary function. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3958 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2016-3959 CVE STATUS: Patched CVE SUMMARY: The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses HTTPS client certificates or SSH server libraries. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3959 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2016-5386 CVE STATUS: Patched CVE SUMMARY: The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5386 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2017-1000097 CVE STATUS: Patched CVE SUMMARY: On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000097 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2017-1000098 CVE STATUS: Patched CVE SUMMARY: The net/http package's Request.ParseMultipartForm method starts writing to temporary files once the request body size surpasses the given "maxMemory" limit. It was possible for an attacker to generate a multipart request crafted such that the server ran out of file descriptors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000098 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2017-15041 CVE STATUS: Patched CVE SUMMARY: Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get." CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15041 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2017-15042 CVE STATUS: Patched CVE SUMMARY: An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15042 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2017-8932 CVE STATUS: Patched CVE SUMMARY: A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to the derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8932 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2018-16873 CVE STATUS: Patched CVE SUMMARY: In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u". CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16873 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2018-16874 CVE STATUS: Patched CVE SUMMARY: In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16874 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2018-16875 CVE STATUS: Patched CVE SUMMARY: The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16875 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2018-6574 CVE STATUS: Patched CVE SUMMARY: Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6574 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2018-7187 CVE STATUS: Patched CVE SUMMARY: The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7187 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2019-11888 CVE STATUS: Patched CVE SUMMARY: Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11888 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2019-14809 CVE STATUS: Patched CVE SUMMARY: net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-14809 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2019-16276 CVE STATUS: Patched CVE SUMMARY: Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16276 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2019-17596 CVE STATUS: Patched CVE SUMMARY: Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17596 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2019-6486 CVE STATUS: Patched CVE SUMMARY: Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 8.2 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6486 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2019-9634 CVE STATUS: Patched CVE SUMMARY: Go through 1.12 on Windows misuses certain LoadLibrary functionality, leading to DLL injection. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9634 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2019-9741 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9741 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-0601 CVE STATUS: Patched CVE SUMMARY: A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0601 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-14039 CVE STATUS: Patched CVE SUMMARY: In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14039 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-15586 CVE STATUS: Patched CVE SUMMARY: Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15586 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-16845 CVE STATUS: Patched CVE SUMMARY: Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16845 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-24553 CVE STATUS: Patched CVE SUMMARY: Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24553 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-28362 CVE STATUS: Patched CVE SUMMARY: Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28362 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-28366 CVE STATUS: Patched CVE SUMMARY: Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28366 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-28367 CVE STATUS: Patched CVE SUMMARY: Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28367 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-28851 CVE STATUS: Patched CVE SUMMARY: In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.) CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28851 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-29509 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: The encoding/xml package in go can potentially be used for security exploits if not used correctly CVE applies to a netapp product as well as flagging a general issue. We don't ship anything exposing this interface in an exploitable way CVE SUMMARY: The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29509 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-29510 CVE STATUS: Patched CVE SUMMARY: The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29510 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-29511 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: The encoding/xml package in go can potentially be used for security exploits if not used correctly CVE applies to a netapp product as well as flagging a general issue. We don't ship anything exposing this interface in an exploitable way CVE SUMMARY: The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29511 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2020-7919 CVE STATUS: Patched CVE SUMMARY: Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-7919 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-27918 CVE STATUS: Patched CVE SUMMARY: encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-27918 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-27919 CVE STATUS: Patched CVE SUMMARY: archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any filename. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-27919 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-29923 CVE STATUS: Patched CVE SUMMARY: Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29923 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-3114 CVE STATUS: Patched CVE SUMMARY: In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3114 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-3115 CVE STATUS: Patched CVE SUMMARY: Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download). CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3115 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-31525 CVE STATUS: Patched CVE SUMMARY: net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-31525 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-33194 CVE STATUS: Patched CVE SUMMARY: golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33194 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-33195 CVE STATUS: Patched CVE SUMMARY: Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS lookups that do not validate replies from DNS servers, and thus a return value may contain an unsafe injection (e.g., XSS) that does not conform to the RFC1035 format. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33195 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-33196 CVE STATUS: Patched CVE SUMMARY: In archive/zip in Go before 1.15.13 and 1.16.x before 1.16.5, a crafted file count (in an archive's header) can cause a NewReader or OpenReader panic. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33196 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-33197 CVE STATUS: Patched CVE SUMMARY: In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33197 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-33198 CVE STATUS: Patched CVE SUMMARY: In Go before 1.15.13 and 1.16.x before 1.16.5, there can be a panic for a large exponent to the math/big.Rat SetString or UnmarshalText method. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33198 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-34558 CVE STATUS: Patched CVE SUMMARY: The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-34558 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-36221 CVE STATUS: Patched CVE SUMMARY: Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-36221 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-38297 CVE STATUS: Patched CVE SUMMARY: Go before 1.16.9 and 1.17.x before 1.17.2 has a Buffer Overflow via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38297 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-39293 CVE STATUS: Patched CVE SUMMARY: In archive/zip in Go before 1.16.8 and 1.17.x before 1.17.1, a crafted archive header (falsely designating that many files are present) can cause a NewReader or OpenReader panic. NOTE: this issue exists because of an incomplete fix for CVE-2021-33196. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-39293 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-41771 CVE STATUS: Patched CVE SUMMARY: ImportedSymbols in debug/macho (for Open or OpenFat) in Go before 1.16.10 and 1.17.x before 1.17.3 Accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-41771 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-41772 CVE STATUS: Patched CVE SUMMARY: Go before 1.16.10 and 1.17.x before 1.17.3 allows an archive/zip Reader.Open panic via a crafted ZIP archive containing an invalid name or an empty filename field. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-41772 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-44716 CVE STATUS: Patched CVE SUMMARY: net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-44716 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2021-44717 CVE STATUS: Patched CVE SUMMARY: Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 4.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-44717 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-1705 CVE STATUS: Patched CVE SUMMARY: Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1705 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-1962 CVE STATUS: Patched CVE SUMMARY: Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1962 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-23772 CVE STATUS: Patched CVE SUMMARY: Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23772 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-23773 CVE STATUS: Patched CVE SUMMARY: cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23773 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-23806 CVE STATUS: Patched CVE SUMMARY: Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23806 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-24675 CVE STATUS: Patched CVE SUMMARY: encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24675 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-24921 CVE STATUS: Patched CVE SUMMARY: regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 allows stack exhaustion via a deeply nested expression. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24921 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-27536 CVE STATUS: Patched CVE SUMMARY: Certificate.Verify in crypto/x509 in Go 1.18.x before 1.18.1 can be caused to panic on macOS when presented with certain malformed certificates. This allows a remote TLS server to cause a TLS client to panic. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27536 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-27664 CVE STATUS: Patched CVE SUMMARY: In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-27664 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-28131 CVE STATUS: Patched CVE SUMMARY: Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-28131 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-28327 CVE STATUS: Patched CVE SUMMARY: The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-28327 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-2879 CVE STATUS: Patched CVE SUMMARY: Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2879 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-2880 CVE STATUS: Patched CVE SUMMARY: Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2880 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-29526 CVE STATUS: Patched CVE SUMMARY: Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29526 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-29804 CVE STATUS: Patched CVE SUMMARY: Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-29804 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-30580 CVE STATUS: Patched CVE SUMMARY: Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30580 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-30629 CVE STATUS: Patched CVE SUMMARY: Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30629 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-30630 CVE STATUS: Patched CVE SUMMARY: Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30630 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-30631 CVE STATUS: Patched CVE SUMMARY: Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30631 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-30632 CVE STATUS: Patched CVE SUMMARY: Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30632 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-30633 CVE STATUS: Patched CVE SUMMARY: Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30633 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-30634 CVE STATUS: Patched CVE SUMMARY: Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30634 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-30635 CVE STATUS: Patched CVE SUMMARY: Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-30635 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-32148 CVE STATUS: Patched CVE SUMMARY: Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32148 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-32189 CVE STATUS: Patched CVE SUMMARY: A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32189 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-32190 CVE STATUS: Patched CVE SUMMARY: JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-32190 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-41715 CVE STATUS: Patched CVE SUMMARY: Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41715 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-41716 CVE STATUS: Patched CVE SUMMARY: Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D". CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41716 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-41717 CVE STATUS: Patched CVE SUMMARY: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41717 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-41720 CVE STATUS: Patched CVE SUMMARY: On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41720 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-41722 CVE STATUS: Patched CVE SUMMARY: A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b". CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41722 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-41723 CVE STATUS: Patched CVE SUMMARY: A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41723 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-41724 CVE STATUS: Patched CVE SUMMARY: Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41724 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2022-41725 CVE STATUS: Patched CVE SUMMARY: A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41725 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-24532 CVE STATUS: Patched CVE SUMMARY: The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24532 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-24534 CVE STATUS: Patched CVE SUMMARY: HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24534 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-24536 CVE STATUS: Patched CVE SUMMARY: Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24536 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-24537 CVE STATUS: Patched CVE SUMMARY: Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24537 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-24538 CVE STATUS: Patched CVE SUMMARY: Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24538 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-24539 CVE STATUS: Patched CVE SUMMARY: Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24539 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-24540 CVE STATUS: Patched CVE SUMMARY: Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24540 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-29400 CVE STATUS: Patched CVE SUMMARY: Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29400 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-29402 CVE STATUS: Patched CVE SUMMARY: The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29402 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-29403 CVE STATUS: Patched CVE SUMMARY: On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29403 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-29404 CVE STATUS: Patched CVE SUMMARY: The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29404 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-29405 CVE STATUS: Patched CVE SUMMARY: The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29405 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-29406 CVE STATUS: Patched CVE SUMMARY: The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29406 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-29409 CVE STATUS: Patched CVE SUMMARY: Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-29409 LAYER: meta PACKAGE NAME: go-runtime PACKAGE VERSION: 1.22.12 CVE: CVE-2023-39318 CVE STATUS: Patched CVE SUMMARY: The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 2.1 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-6019 LAYER: meta PACKAGE NAME: python3 PACKAGE VERSION: 3.12.12 CVE: CVE-2026-7210 CVE STATUS: Unpatched CVE SUMMARY: `xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 6.3 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-7210 LAYER: meta PACKAGE NAME: distcc PACKAGE VERSION: 3.4 CVE: CVE-2004-0601 CVE STATUS: Patched CVE SUMMARY: distcc before 2.16, when running on 64-bit platforms, does not interpret IP-based access control rules correctly, which could allow remote attackers to bypass intended restrictions. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0601 LAYER: meta PACKAGE NAME: libjpeg-turbo PACKAGE VERSION: 1_3.0.1 CVE: CVE-2012-2806 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the get_sos function in jdmarker.c in libjpeg-turbo 1.2.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large component count in the header of a JPEG image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2806 LAYER: meta PACKAGE NAME: libjpeg-turbo PACKAGE VERSION: 1_3.0.1 CVE: CVE-2013-6629 CVE STATUS: Patched CVE SUMMARY: The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6629 LAYER: meta PACKAGE NAME: libjpeg-turbo PACKAGE VERSION: 1_3.0.1 CVE: CVE-2014-9092 CVE STATUS: Patched CVE SUMMARY: libjpeg-turbo before 1.3.1 allows remote attackers to cause a denial of service (crash) via a crafted JPEG file, related to the Exif marker. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9092 LAYER: meta PACKAGE NAME: libjpeg-turbo PACKAGE VERSION: 1_3.0.1 CVE: CVE-2016-3616 CVE STATUS: Patched CVE SUMMARY: The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3616 LAYER: meta PACKAGE NAME: libjpeg-turbo PACKAGE VERSION: 1_3.0.1 CVE: CVE-2017-15232 CVE STATUS: Patched CVE SUMMARY: libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and jquant1.c via a crafted JPEG file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15232 LAYER: meta PACKAGE NAME: libjpeg-turbo PACKAGE VERSION: 1_3.0.1 CVE: CVE-2017-9614 CVE STATUS: Patched CVE SUMMARY: The fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted jpg file. NOTE: Maintainer asserts the issue is due to a bug in downstream code caused by misuse of the libjpeg API CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9614 LAYER: meta PACKAGE NAME: libjpeg-turbo PACKAGE VERSION: 1_3.0.1 CVE: CVE-2018-1152 CVE STATUS: Patched CVE SUMMARY: libjpeg-turbo 1.5.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1152 LAYER: meta PACKAGE NAME: libjpeg-turbo PACKAGE VERSION: 1_3.0.1 CVE: CVE-2018-14498 CVE STATUS: Patched CVE SUMMARY: get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-14498 LAYER: meta PACKAGE NAME: libjpeg-turbo PACKAGE VERSION: 1_3.0.1 CVE: CVE-2018-19664 CVE STATUS: Patched CVE SUMMARY: libjpeg-turbo 2.0.1 has a heap-based buffer over-read in the put_pixel_rows function in wrbmp.c, as demonstrated by djpeg. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19664 LAYER: meta PACKAGE NAME: libjpeg-turbo PACKAGE VERSION: 1_3.0.1 CVE: CVE-2018-20330 CVE STATUS: Patched CVE SUMMARY: The tjLoadImage function in libjpeg-turbo 2.0.1 has an integer overflow with a resultant heap-based buffer overflow via a BMP image because multiplication of pitch and height is mishandled, as demonstrated by tjbench. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20330 LAYER: meta PACKAGE NAME: libjpeg-turbo PACKAGE VERSION: 1_3.0.1 CVE: CVE-2019-13960 CVE STATUS: Patched CVE SUMMARY: In libjpeg-turbo 2.0.2, a large amount of memory can be used during processing of an invalid progressive JPEG image containing incorrect width and height values in the image header. NOTE: the vendor's expectation, for use cases in which this memory usage would be a denial of service, is that the application should interpret libjpeg warnings as fatal errors (aborting decompression) and/or set limits on resource consumption or image sizes CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13960 LAYER: meta PACKAGE NAME: libjpeg-turbo PACKAGE VERSION: 1_3.0.1 CVE: CVE-2020-13790 CVE STATUS: Patched CVE SUMMARY: libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13790 LAYER: meta PACKAGE NAME: libjpeg-turbo PACKAGE VERSION: 1_3.0.1 CVE: CVE-2020-17541 CVE STATUS: Patched CVE SUMMARY: Libjpeg-turbo all version have a stack-based buffer overflow in the "transform" component. A remote attacker can send a malformed jpeg file to the service and cause arbitrary code execution or denial of service of the target service. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17541 LAYER: meta PACKAGE NAME: libjpeg-turbo PACKAGE VERSION: 1_3.0.1 CVE: CVE-2020-35538 CVE STATUS: Patched CVE SUMMARY: A crafted input file could cause a null pointer dereference in jcopy_sample_rows() when processed by libjpeg-turbo. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35538 LAYER: meta PACKAGE NAME: libjpeg-turbo PACKAGE VERSION: 1_3.0.1 CVE: CVE-2021-20205 CVE STATUS: Patched CVE SUMMARY: Libjpeg-turbo versions 2.0.91 and 2.0.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted GIF image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20205 LAYER: meta PACKAGE NAME: libjpeg-turbo PACKAGE VERSION: 1_3.0.1 CVE: CVE-2021-29390 CVE STATUS: Patched CVE SUMMARY: libjpeg-turbo version 2.0.90 has a heap-based buffer over-read (2 bytes) in decompress_smooth_data in jdcoefct.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-29390 LAYER: meta PACKAGE NAME: libjpeg-turbo PACKAGE VERSION: 1_3.0.1 CVE: CVE-2021-46822 CVE STATUS: Patched CVE SUMMARY: The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46822 LAYER: meta PACKAGE NAME: libjpeg-turbo PACKAGE VERSION: 1_3.0.1 CVE: CVE-2023-2804 CVE STATUS: Patched CVE SUMMARY: A heap-based buffer overflow issue was discovered in libjpeg-turbo in h2v2_merged_upsample_internal() function of jdmrgext.c file. The vulnerability can only be exploited with 12-bit data precision for which the range of the sample data type exceeds the valid sample range, hence, an attacker could craft a 12-bit lossless JPEG image that contains out-of-range 12-bit samples. An application attempting to decompress such image using merged upsampling would lead to segmentation fault or buffer overflows, causing an application to crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2804 LAYER: meta PACKAGE NAME: readline PACKAGE VERSION: 8.2 CVE: CVE-2014-2524 CVE STATUS: Patched CVE SUMMARY: The _rl_tropen function in util.c in GNU readline before 6.3 patch 3 allows local users to create or overwrite arbitrary files via a symlink attack on a /var/tmp/rltrace.[PID] file. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2524 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2005-2491 CVE STATUS: Patched CVE SUMMARY: Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2491 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2005-4872 CVE STATUS: Patched CVE SUMMARY: Perl-Compatible Regular Expression (PCRE) library before 6.2 does not properly count the number of named capturing subpatterns, which allows context-dependent attackers to cause a denial of service (crash) via a regular expression with a large number of named subpatterns, which triggers a buffer overflow. NOTE: this issue was originally subsumed by CVE-2006-7224, but that CVE has been REJECTED and split. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4872 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2006-7225 CVE STATUS: Patched CVE SUMMARY: Perl-Compatible Regular Expression (PCRE) library before 6.7 allows context-dependent attackers to cause a denial of service (error or crash) via a regular expression that involves a "malformed POSIX character class", as demonstrated via an invalid character after a [[ sequence. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7225 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2006-7227 CVE STATUS: Patched CVE SUMMARY: Integer overflow in Perl-Compatible Regular Expression (PCRE) library before 6.7 allows context-dependent attackers to execute arbitrary code via a regular expression containing a large number of named subpatterns (name_count) or long subpattern names (max_name_size), which triggers a buffer overflow. NOTE: this issue was originally subsumed by CVE-2006-7224, but that CVE has been REJECTED and split. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7227 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2006-7228 CVE STATUS: Patched CVE SUMMARY: Integer overflow in Perl-Compatible Regular Expression (PCRE) library before 6.7 might allow context-dependent attackers to execute arbitrary code via a regular expression that involves large (1) min, (2) max, or (3) duplength values that cause an incorrect length calculation and trigger a buffer overflow, a different vulnerability than CVE-2006-7227. NOTE: this issue was originally subsumed by CVE-2006-7224, but that CVE has been REJECTED and split. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7228 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2006-7230 CVE STATUS: Patched CVE SUMMARY: Perl-Compatible Regular Expression (PCRE) library before 7.0 does not properly calculate the amount of memory needed for a compiled regular expression pattern when the (1) -x or (2) -i UTF-8 options change within the pattern, which allows context-dependent attackers to cause a denial of service (PCRE or glibc crash) via crafted regular expressions. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7230 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2007-1659 CVE STATUS: Patched CVE SUMMARY: Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via regex patterns containing unmatched "\Q\E" sequences with orphan "\E" codes. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1659 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2007-1660 CVE STATUS: Patched CVE SUMMARY: Perl-Compatible Regular Expression (PCRE) library before 7.0 does not properly calculate sizes for unspecified "multiple forms of character class", which triggers a buffer overflow that allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1660 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2007-1662 CVE STATUS: Patched CVE SUMMARY: Perl-Compatible Regular Expression (PCRE) library before 7.3 reads past the end of the string when searching for unmatched brackets and parentheses, which allows context-dependent attackers to cause a denial of service (crash), possibly involving forward references. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1662 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2007-4766 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in Perl-Compatible Regular Expression (PCRE) library before 7.3 allow context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via unspecified escape (backslash) sequences. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4766 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2007-4767 CVE STATUS: Patched CVE SUMMARY: Perl-Compatible Regular Expression (PCRE) library before 7.3 does not properly compute the length of (1) a \p sequence, (2) a \P sequence, or (3) a \P{x} sequence, which allows context-dependent attackers to cause a denial of service (infinite loop or crash) or execute arbitrary code. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4767 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2007-4768 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to execute arbitrary code via a singleton Unicode sequence in a character class in a regex pattern, which is incorrectly optimized. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4768 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2008-0674 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in PCRE before 7.6 allows remote attackers to execute arbitrary code via a regular expression containing a character class with a large number of characters with Unicode code points greater than 255. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0674 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2008-2371 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in pcre_compile.c in the Perl-Compatible Regular Expression (PCRE) library 7.7 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a regular expression that begins with an option and contains multiple branches. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2371 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2014-8964 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in PCRE 8.36 and earlier allows remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8964 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2014-9769 CVE STATUS: Patched CVE SUMMARY: pcre_jit_compile.c in PCRE 8.35 does not properly use table jumps to optimize nested alternatives, which allows remote attackers to cause a denial of service (stack memory corruption) or possibly have unspecified other impact via a crafted string, as demonstrated by packets encountered by Suricata during use of a regular expression in an Emerging Threats Open ruleset. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9769 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2015-2325 CVE STATUS: Patched CVE SUMMARY: The compile_branch function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code, cause a denial of service (out-of-bounds heap read and crash), or possibly have other unspecified impact via a regular expression with a group containing a forward reference repeated a large number of times within a repeated outer group that has a zero minimum quantifier. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2325 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2015-2326 CVE STATUS: Patched CVE SUMMARY: The pcre_compile2 function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code and cause a denial of service (out-of-bounds read) via regular expression with a group containing both a forward referencing subroutine call and a recursive back reference, as demonstrated by "((?+1)(\1))/". CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2326 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2015-2328 CVE STATUS: Patched CVE SUMMARY: PCRE before 8.36 mishandles the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-2328 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2015-3210 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in PCRE 8.34 through 8.37 and PCRE2 10.10 allows remote attackers to execute arbitrary code via a crafted regular expression, as demonstrated by /^(?P=B)((?P=B)(?J:(?Pc)(?Pa(?P=B)))>WGXCREDITS)/, a different vulnerability than CVE-2015-8384. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3210 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2015-3217 CVE STATUS: Patched CVE SUMMARY: PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\.|([^\\\\W_])?)+)+$/. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3217 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2015-5073 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the find_fixedlength function in pcre_compile.c in PCRE before 8.38 allows remote attackers to cause a denial of service (crash) or obtain sensitive information from heap memory and possibly bypass the ASLR protection mechanism via a crafted regular expression with an excess closing parenthesis. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5073 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2015-8391 CVE STATUS: Patched CVE SUMMARY: The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which allows remote attackers to cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVSS v2 BASE SCORE: 9.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8391 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2016-1283 CVE STATUS: Patched CVE SUMMARY: The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles the /((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/ pattern and related patterns with named subgroups, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1283 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2016-3191 CVE STATUS: Patched CVE SUMMARY: The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3191 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2017-11164 CVE STATUS: Patched CVE SUMMARY: In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11164 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2017-16231 CVE STATUS: Patched CVE SUMMARY: In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16231 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2017-6004 CVE STATUS: Patched CVE SUMMARY: The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6004 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2017-7186 CVE STATUS: Patched CVE SUMMARY: libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7186 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2017-7244 CVE STATUS: Patched CVE SUMMARY: The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7244 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2017-7245 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7245 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2017-7246 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7246 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2019-20838 CVE STATUS: Patched CVE SUMMARY: libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20838 LAYER: meta PACKAGE NAME: libpcre PACKAGE VERSION: 8.45 CVE: CVE-2020-14155 CVE STATUS: Patched CVE SUMMARY: libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14155 LAYER: meta PACKAGE NAME: procps PACKAGE VERSION: 4.0.4 CVE: CVE-2018-1121 CVE STATUS: Patched CVE SUMMARY: procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel's proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use inotify events to determine when the process list is being scanned, and fork/exec to obtain a lower PID, thus avoiding enumeration. An unprivileged attacker can hide a process from procps-ng's utilities by exploiting a race condition in reading /proc/PID entries. This vulnerability affects procps and procps-ng up to version 3.3.15, newer versions might be affected also. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 3.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1121 LAYER: meta PACKAGE NAME: procps PACKAGE VERSION: 4.0.4 CVE: CVE-2023-4016 CVE STATUS: Patched CVE SUMMARY: Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 2.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4016 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2006-5876 CVE STATUS: Patched CVE SUMMARY: The soup_headers_parse function in soup-headers.c for libsoup HTTP library before 2.2.99 allows remote attackers to cause a denial of service (crash) via malformed HTTP headers, probably involving missing fields or values. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5876 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2009-0585 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the soup_base64_encode function in soup-misc.c in libsoup 2.x.x before 2.2.x, and 2.x before 2.24, allows context-dependent attackers to execute arbitrary code via a long string that is converted to a base64 representation. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0585 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2011-2524 CVE STATUS: Patched CVE SUMMARY: Directory traversal vulnerability in soup-uri.c in SoupServer in libsoup before 2.35.4 allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in a URI. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2524 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2012-2132 CVE STATUS: Patched CVE SUMMARY: libsoup 2.32.2 and earlier does not validate certificates or clear the trust flag when the ssl-ca-file does not exist, which allows remote attackers to bypass authentication by connecting with a SSL connection. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2132 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2017-2885 CVE STATUS: Patched CVE SUMMARY: An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58. A specially crafted HTTP request can cause a stack overflow resulting in remote code execution. An attacker can send a special HTTP request to the vulnerable server to trigger this vulnerability. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2885 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2018-11713 CVE STATUS: Patched CVE SUMMARY: WebCore/platform/network/soup/SocketStreamHandleImplSoup.cpp in the libsoup network backend of WebKit, as used in WebKitGTK+ prior to version 2.20.0 or without libsoup 2.62.0, unexpectedly failed to use system proxy settings for WebSocket connections. As a result, users could be deanonymized by crafted web sites via a WebSocket connection. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11713 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2018-12910 CVE STATUS: Patched CVE SUMMARY: The get_cookies function in soup-cookie-jar.c in libsoup 2.63.2 allows attackers to have unspecified impact via an empty hostname. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12910 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2019-17266 CVE STATUS: Patched CVE SUMMARY: libsoup from versions 2.65.1 until 2.68.1 have a heap-based buffer over-read because soup_ntlm_parse_challenge() in soup-auth-ntlm.c does not properly check an NTLM message's length before proceeding with a memcpy. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17266 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2024-52530 CVE STATUS: Patched CVE SUMMARY: GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the same as a "Transfer-Encoding: chunked" header. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-52530 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2024-52531 CVE STATUS: Patched CVE SUMMARY: GNOME libsoup before 3.6.1 allows a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. There is a plausible way to reach this remotely via soup_message_headers_get_content_type (e.g., an application may want to retrieve the content type of a request or response). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-52531 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2024-52532 CVE STATUS: Patched CVE SUMMARY: GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption. during the reading of certain patterns of WebSocket data from clients. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-52532 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2025-2784 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup. The package is vulnerable to a heap buffer over-read when sniffing content via the skip_insight_whitespace() function. Libsoup clients may read one byte out-of-bounds in response to a crafted HTTP response by an HTTP server. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-2784 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2025-32050 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup. The libsoup append_param_quoted() function may contain an overflow bug resulting in a buffer under-read. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32050 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2025-32052 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup. A vulnerability in the sniff_unknown() function may lead to heap buffer over-read. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32052 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2025-32053 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup. A vulnerability in sniff_feed_or_html() and skip_insignificant_space() functions may lead to a heap buffer over-read. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32053 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2025-32906 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup, where the soup_headers_parse_request() function may be vulnerable to an out-of-bound read. This flaw allows a malicious user to use a specially crafted HTTP request to crash the HTTP server. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32906 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2025-32907 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious client to request the same range many times in a single HTTP request, causing the server to use large amounts of memory. This does not allow for a full denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32907 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2025-32909 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup. SoupContentSniffer may be vulnerable to a NULL pointer dereference in the sniff_mp4 function. The HTTP server may cause the libsoup client to crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32909 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2025-32910 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup, where soup_auth_digest_authenticate() is vulnerable to a NULL pointer dereference. This issue may cause the libsoup client to crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32910 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2025-32911 CVE STATUS: Patched CVE SUMMARY: A use-after-free type vulnerability was found in libsoup, in the soup_message_headers_get_content_disposition() function. This flaw allows a malicious HTTP client to cause memory corruption in the libsoup server. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32911 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2025-32912 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup, where SoupAuthDigest is vulnerable to a NULL pointer dereference. The HTTP server may cause the libsoup client to crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32912 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2025-32913 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup, where the soup_message_headers_get_content_disposition() function is vulnerable to a NULL pointer dereference. This flaw allows a malicious HTTP peer to crash a libsoup client or server that uses this function. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32913 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2025-32914 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup, where the soup_multipart_new_from_message() function is vulnerable to an out-of-bounds read. This flaw allows a malicious HTTP client to induce the libsoup server to read out of bounds. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32914 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2025-4476 CVE STATUS: Patched CVE SUMMARY: A denial-of-service vulnerability has been identified in the libsoup HTTP client library. This flaw can be triggered when a libsoup client receives a 401 (Unauthorized) HTTP response containing a specifically crafted domain parameter within the WWW-Authenticate header. Processing this malformed header can lead to a crash of the client application using libsoup. An attacker could exploit this by setting up a malicious HTTP server. If a user's application using the vulnerable libsoup library connects to this malicious server, it could result in a denial-of-service. Successful exploitation requires tricking a user's client application into connecting to the attacker's malicious server. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-4476 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2025-46420 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup. It is vulnerable to memory leaks in the soup_header_parse_quality_list() function when parsing a quality list that contains elements with all zeroes. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-46420 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2025-46421 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup. When libsoup clients encounter an HTTP redirect, they mistakenly send the HTTP Authorization header to the new host that the redirection points to. This allows the new host to impersonate the user to the original host that issued the redirect. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-46421 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2025-4945 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the cookie parsing logic of the libsoup HTTP library, used in GNOME applications and other software. The vulnerability arises when processing the expiration date of cookies, where a specially crafted value can trigger an integer overflow. This may result in undefined behavior, allowing an attacker to bypass cookie expiration logic, causing persistent or unintended cookie behavior. The issue stems from improper validation of large integer inputs during date arithmetic operations within the cookie parsing routines. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-4945 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2025-4948 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the soup_multipart_new_from_message() function of the libsoup HTTP library, which is commonly used by GNOME and other applications to handle web communications. The issue occurs when the library processes specially crafted multipart messages. Due to improper validation, an internal calculation can go wrong, leading to an integer underflow. This can cause the program to access invalid memory and crash. As a result, any application or server using libsoup could be forced to exit unexpectedly, creating a denial-of-service (DoS) risk. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-4948 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2025-4969 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in the libsoup package. This flaw stems from its failure to correctly verify the termination of multipart HTTP messages. This can allow a remote attacker to send a specially crafted multipart HTTP body, causing the libsoup-consuming server to read beyond its allocated memory boundaries (out-of-bounds read). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-4969 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2026-1467 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTP proxy is configured and the library improperly handles URL-decoded input used to create the Host header. A remote attacker can exploit this by providing a specially crafted URL containing CRLF sequences, allowing them to inject additional HTTP headers or complete HTTP request bodies. This can lead to unintended or unauthorized HTTP requests being forwarded by the proxy, potentially impacting downstream services. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-1467 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2026-1536 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary HTTP headers to be injected. This vulnerability can lead to HTTP header injection or HTTP response splitting without requiring authentication or user interaction. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-1536 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2026-1539 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Authorization header if the request is redirected to a different host. As a result, sensitive proxy credentials may be leaked to third-party servers. Applications using libsoup for HTTP communication may unintentionally expose proxy authentication data. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-1539 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2026-1801 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsoup, an HTTP client/server library. This HTTP Request Smuggling vulnerability arises from non-RFC-compliant parsing in the soup_filter_input_stream_read_line() logic, where libsoup accepts malformed chunk headers, such as lone line feed (LF) characters instead of the required carriage return and line feed (CRLF). A remote attacker can exploit this without authentication or user interaction by sending specially crafted chunked requests. This allows libsoup to parse and process multiple HTTP requests from a single network message, potentially leading to information disclosure. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-1801 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2026-2369 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsoup. An integer underflow vulnerability occurs when processing content with a zero-length resource, leading to a buffer overread. This can allow an attacker to potentially access sensitive information or cause an application level denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-2369 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2026-2436 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsoup's SoupServer. A remote attacker could exploit a use-after-free vulnerability where the `soup_server_disconnect()` function frees connection objects prematurely, even if a TLS handshake is still pending. If the handshake completes after the connection object has been freed, a dangling pointer is accessed, leading to a server crash and a Denial of Service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-2436 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2026-2443 CVE STATUS: Unpatched CVE SUMMARY: A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access portions of server memory beyond the intended response. Exploitation requires a vulnerable configuration and access to a server using the embedded SoupServer component. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-2443 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2026-2708 CVE STATUS: Unpatched CVE SUMMARY: A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an attacker to send HTTP requests containing multiple Content-Length headers with differing values. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-2708 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2026-3099 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in Libsoup. The server-side digest authentication implementation in the SoupAuthDomainDigest class does not properly track issued nonces or enforce the required incrementing nonce-count (nc) attribute. This vulnerability allows a remote attacker to capture a single valid authentication header and replay it repeatedly. Consequently, the attacker can bypass authentication and gain unauthorized access to protected resources, impersonating the legitimate user. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3099 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2026-3632 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsoup, a library used by applications to send network requests. This vulnerability occurs because libsoup does not properly validate hostnames, allowing special characters to be injected into HTTP headers. A remote attacker could exploit this to perform HTTP smuggling, where they can send hidden, malicious requests alongside legitimate ones. In certain situations, this could lead to Server-Side Request Forgery (SSRF), enabling an attacker to force the server to make unauthorized requests to other internal or external systems. The impact is low, as SoupServer is not actually used in internet infrastructure. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3632 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2026-3633 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3633 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2026-3634 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsoup. An attacker controlling the value used to set the Content-Type header can inject a Carriage Return Line Feed (CRLF) sequence due to improper input sanitization in the `soup_message_headers_set_content_type()` function. This vulnerability allows for the injection of arbitrary header-value pairs, potentially leading to HTTP header injection and response splitting attacks. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3634 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2026-4271 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsoup, a library for handling HTTP requests. This vulnerability, known as a Use-After-Free, occurs in the HTTP/2 server implementation. A remote attacker can exploit this by sending specially crafted HTTP/2 requests that cause authentication failures. This can lead to the application attempting to access memory that has already been freed, potentially causing application instability or crashes, resulting in a Denial of Service (DoS). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-4271 LAYER: meta PACKAGE NAME: libsoup-2.4 PACKAGE VERSION: 2.74.3 CVE: CVE-2026-5119 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5119 LAYER: meta PACKAGE NAME: zstd PACKAGE VERSION: 1.5.5 CVE: CVE-2019-11922 CVE STATUS: Patched CVE SUMMARY: A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11922 LAYER: meta PACKAGE NAME: zstd PACKAGE VERSION: 1.5.5 CVE: CVE-2021-24031 CVE STATUS: Patched CVE SUMMARY: In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-24031 LAYER: meta PACKAGE NAME: zstd PACKAGE VERSION: 1.5.5 CVE: CVE-2021-24032 CVE STATUS: Patched CVE SUMMARY: Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-24032 LAYER: meta PACKAGE NAME: zstd PACKAGE VERSION: 1.5.5 CVE: CVE-2022-4899 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4899 LAYER: meta PACKAGE NAME: libgcrypt PACKAGE VERSION: 1.10.3 CVE: CVE-2013-4242 CVE STATUS: Patched CVE SUMMARY: GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4242 LAYER: meta PACKAGE NAME: libgcrypt PACKAGE VERSION: 1.10.3 CVE: CVE-2014-3591 CVE STATUS: Patched CVE SUMMARY: Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 4.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3591 LAYER: meta PACKAGE NAME: libgcrypt PACKAGE VERSION: 1.10.3 CVE: CVE-2014-5270 CVE STATUS: Patched CVE SUMMARY: Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5270 LAYER: meta PACKAGE NAME: libgcrypt PACKAGE VERSION: 1.10.3 CVE: CVE-2015-0837 CVE STATUS: Patched CVE SUMMARY: The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a "Last-Level Cache Side-Channel Attack." CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0837 LAYER: meta PACKAGE NAME: libgcrypt PACKAGE VERSION: 1.10.3 CVE: CVE-2015-7511 CVE STATUS: Patched CVE SUMMARY: Libgcrypt before 1.6.5 does not properly perform elliptic-point curve multiplication during decryption, which makes it easier for physically proximate attackers to extract ECDH keys by measuring electromagnetic emanations. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 2.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7511 LAYER: meta PACKAGE NAME: libgcrypt PACKAGE VERSION: 1.10.3 CVE: CVE-2016-6313 CVE STATUS: Patched CVE SUMMARY: The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6313 LAYER: meta PACKAGE NAME: libgcrypt PACKAGE VERSION: 1.10.3 CVE: CVE-2017-0379 CVE STATUS: Patched CVE SUMMARY: Libgcrypt before 1.8.1 does not properly consider Curve25519 side-channel attacks, which makes it easier for attackers to discover a secret key, related to cipher/ecc.c and mpi/ec.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-0379 LAYER: meta PACKAGE NAME: libgcrypt PACKAGE VERSION: 1.10.3 CVE: CVE-2017-7526 CVE STATUS: Patched CVE SUMMARY: libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7526 LAYER: meta PACKAGE NAME: libgcrypt PACKAGE VERSION: 1.10.3 CVE: CVE-2017-9526 CVE STATUS: Patched CVE SUMMARY: In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9526 LAYER: meta PACKAGE NAME: libgcrypt PACKAGE VERSION: 1.10.3 CVE: CVE-2018-0495 CVE STATUS: Patched CVE SUMMARY: Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-0495 LAYER: meta PACKAGE NAME: libgcrypt PACKAGE VERSION: 1.10.3 CVE: CVE-2018-6829 CVE STATUS: Patched CVE SUMMARY: cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6829 LAYER: meta PACKAGE NAME: libgcrypt PACKAGE VERSION: 1.10.3 CVE: CVE-2019-12904 CVE STATUS: Patched CVE SUMMARY: In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) NOTE: the vendor's position is that the issue report cannot be validated because there is no description of an attack CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12904 LAYER: meta PACKAGE NAME: libgcrypt PACKAGE VERSION: 1.10.3 CVE: CVE-2021-3345 CVE STATUS: Patched CVE SUMMARY: _gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1 or later. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3345 LAYER: meta PACKAGE NAME: libgcrypt PACKAGE VERSION: 1.10.3 CVE: CVE-2021-33560 CVE STATUS: Patched CVE SUMMARY: Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33560 LAYER: meta PACKAGE NAME: libgcrypt PACKAGE VERSION: 1.10.3 CVE: CVE-2021-40528 CVE STATUS: Patched CVE SUMMARY: The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-40528 LAYER: meta PACKAGE NAME: libgcrypt PACKAGE VERSION: 1.10.3 CVE: CVE-2026-41989 CVE STATUS: Unpatched CVE SUMMARY: Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-41989 LAYER: meta PACKAGE NAME: libgcrypt PACKAGE VERSION: 1.10.3 CVE: CVE-2026-41990 CVE STATUS: Patched CVE SUMMARY: Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-41990 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2004-0691 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0691 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2004-0692 CVE STATUS: Patched CVE SUMMARY: The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0692 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2004-0693 CVE STATUS: Patched CVE SUMMARY: The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0693 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2005-0627 CVE STATUS: Patched CVE SUMMARY: Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0627 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2006-4811 CVE STATUS: Patched CVE SUMMARY: Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4811 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2007-0242 CVE STATUS: Patched CVE SUMMARY: The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0242 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2007-3388 CVE STATUS: Patched CVE SUMMARY: Multiple format string vulnerabilities in (1) qtextedit.cpp, (2) qdatatable.cpp, (3) qsqldatabase.cpp, (4) qsqlindex.cpp, (5) qsqlrecord.cpp, (6) qglobal.cpp, and (7) qsvgdevice.cpp in QTextEdit in Trolltech Qt 3 before 3.3.8 20070727 allow remote attackers to execute arbitrary code via format string specifiers in text used to compose an error message. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3388 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2007-4137 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4137 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2009-2700 CVE STATUS: Patched CVE SUMMARY: src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2700 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2010-1766 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-1766 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2010-2621 CVE STATUS: Patched CVE SUMMARY: The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2621 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2010-5076 CVE STATUS: Patched CVE SUMMARY: QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5076 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2011-3193 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3193 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2011-3194 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the TIFF reader in gui/image/qtiffhandler.cpp in Qt 4.7.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the TIFFTAG_SAMPLESPERPIXEL tag in a greyscale TIFF image with multiple samples per pixel. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3194 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2012-5624 CVE STATUS: Patched CVE SUMMARY: The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-5624 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2012-6093 CVE STATUS: Patched CVE SUMMARY: The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6093 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2013-0254 CVE STATUS: Patched CVE SUMMARY: The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0254 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2013-4549 CVE STATUS: Patched CVE SUMMARY: QXmlSimpleReader in Qt before 5.2 allows context-dependent attackers to cause a denial of service (memory consumption) via an XML Entity Expansion (XEE) attack. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4549 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2014-0190 CVE STATUS: Patched CVE SUMMARY: The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0190 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-0295 CVE STATUS: Patched CVE SUMMARY: The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0295 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-1290 CVE STATUS: Patched CVE SUMMARY: The Google V8 engine, as used in Google Chrome before 44.0.2403.89 and QtWebEngineCore in Qt before 5.5.1, allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted web site. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1290 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-1858 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in gui/image/qbmphandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted BMP image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1858 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-1859 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in plugins/imageformats/ico/qicohandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault and crash) and possibly execute arbitrary code via a crafted ICO image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1859 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-1860 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in gui/image/qgifhandler.cpp in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1860 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-7298 CVE STATUS: Patched CVE SUMMARY: ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7298 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2015-9541 CVE STATUS: Patched CVE SUMMARY: Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9541 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2017-10904 CVE STATUS: Patched CVE SUMMARY: Qt for Android prior to 5.9.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10904 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2017-10905 CVE STATUS: Patched CVE SUMMARY: A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10905 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2017-15011 CVE STATUS: Patched CVE SUMMARY: The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15011 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-15518 CVE STATUS: Patched CVE SUMMARY: QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15518 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19865 CVE STATUS: Patched CVE SUMMARY: A keystroke logging issue was discovered in Virtual Keyboard in Qt 5.7.x, 5.8.x, 5.9.x, 5.10.x, and 5.11.x before 5.11.3. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19865 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19869 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19869 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19870 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19870 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19871 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19871 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19872 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19872 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-19873 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19873 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2018-21035 CVE STATUS: Patched CVE SUMMARY: In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21035 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2019-18281 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds memory access in the generateDirectionalRuns() function in qtextengine.cpp in Qt qtbase 5.11.x and 5.12.x before 5.12.5 allows attackers to cause a denial of service by crashing an application via a text file containing many directional characters. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-18281 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-0569 CVE STATUS: Patched CVE SUMMARY: Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 5.7 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0569 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-0570 CVE STATUS: Patched CVE SUMMARY: Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0570 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-12267 CVE STATUS: Patched CVE SUMMARY: setMarkdown in Qt before 5.14.2 has a use-after-free related to QTextMarkdownImporter::insertBlock. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12267 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-13962 CVE STATUS: Patched CVE SUMMARY: Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.) CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13962 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-17507 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17507 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2020-24742 CVE STATUS: Patched CVE SUMMARY: An issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24742 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2021-28025 CVE STATUS: Patched CVE SUMMARY: Integer Overflow vulnerability in qsvghandler.cpp in Qt qtsvg versions 5.15.1, 6.0.0, 6.0.2, and 6.2, allows local attackers to cause a denial of service (DoS). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28025 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2021-3481 CVE STATUS: Patched CVE SUMMARY: A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3481 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2021-38593 CVE STATUS: Patched CVE SUMMARY: Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-38593 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2022-25255 CVE STATUS: Patched CVE SUMMARY: In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25255 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2022-25634 CVE STATUS: Patched CVE SUMMARY: Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25634 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2022-40983 CVE STATUS: Patched CVE SUMMARY: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40983 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2022-43591 CVE STATUS: Patched CVE SUMMARY: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43591 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-24607 CVE STATUS: Patched CVE SUMMARY: Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-24607 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32573 CVE STATUS: Unpatched CVE SUMMARY: In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32573 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32762 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32762 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-32763 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-32763 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-33285 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-33285 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-34410 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-34410 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-37369 CVE STATUS: Patched CVE SUMMARY: In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-37369 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-38197 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38197 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-43114 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-43114 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2023-51714 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51714 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-25580 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-25580 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-30161 CVE STATUS: Patched CVE SUMMARY: In Qt 6.5.4, 6.5.5, and 6.6.2, QNetworkReply header data might be accessed via a dangling pointer in Qt for WebAssembly (wasm). (Earlier and later versions are unaffected.) CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-30161 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-36048 CVE STATUS: Unpatched CVE SUMMARY: QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-36048 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2024-39936 CVE STATUS: Unpatched CVE SUMMARY: An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed.. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.6 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39936 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2025-30348 CVE STATUS: Unpatched CVE SUMMARY: encodeText in QDom in Qt before 6.8.0 has a complex algorithm involving XML string copy and inline replacement of parts of a string (with relocation of later data). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-30348 LAYER: meta-qt5 PACKAGE NAME: qtbase PACKAGE VERSION: 5.15.13+git CVE: CVE-2025-5683 CVE STATUS: Patched CVE SUMMARY: When loading a specifically crafted ICNS format image file in QImage then it will trigger a crash. This issue affects Qt from versions 6.3.0 through 6.5.9, from 6.6.0 through 6.8.4, 6.9.0. This is fixed in 6.5.10, 6.8.5 and 6.9.1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 5.1 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-5683 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2012-0871 CVE STATUS: Patched CVE SUMMARY: The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/. CVSS v2 BASE SCORE: 6.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0871 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2012-1101 CVE STATUS: Patched CVE SUMMARY: systemd 37-1 does not properly handle non-existent services, which causes a denial of service (failure of login procedure). CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1101 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2012-1174 CVE STATUS: Patched CVE SUMMARY: The rm_rf_children function in util.c in the systemd-logind login manager in systemd before 44, when logging out, allows local users to delete arbitrary files via a symlink attack on unspecified files, related to "particular records related with user session." CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1174 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2013-4327 CVE STATUS: Patched CVE SUMMARY: systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4327 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2013-4391 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the valid_user_field function in journal/journald-native.c in systemd allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large journal data field, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4391 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2013-4392 CVE STATUS: Patched CVE SUMMARY: systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 5.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4392 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2013-4393 CVE STATUS: Patched CVE SUMMARY: journald in systemd, when the origin of native messages is set to file, allows local users to cause a denial of service (logging service blocking) via a crafted file descriptor. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4393 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2013-4394 CVE STATUS: Patched CVE SUMMARY: The SetX11Keyboard function in systemd, when PolicyKit Local Authority (PKLA) is used to change the group permissions on the X Keyboard Extension (XKB) layouts description, allows local users in the group to modify the Xorg X11 Server configuration file and possibly gain privileges via vectors involving "special and control characters." CVSS v2 BASE SCORE: 5.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4394 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2015-7510 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the getpwnam and getgrnam functions of the NSS module nss-mymachines in systemd. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7510 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2016-10156 CVE STATUS: Patched CVE SUMMARY: A flaw in systemd v228 in /src/basic/fs-util.c caused world writable suid files to be created when using the systemd timers features, allowing local attackers to escalate their privileges to root. This is fixed in v229. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10156 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2016-7795 CVE STATUS: Patched CVE SUMMARY: The manager_invoke_notify_message function in systemd 231 and earlier allows local users to cause a denial of service (assertion failure and PID 1 hang) via a zero-length message received over a notify socket. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7795 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2016-7796 CVE STATUS: Patched CVE SUMMARY: The manager_dispatch_notify_fd function in systemd allows local users to cause a denial of service (system hang) via a zero-length message received over a notify socket, which causes an error to be returned and the notification handler to be disabled. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7796 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2017-1000082 CVE STATUS: Patched CVE SUMMARY: systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. "0day"), running the service in question with root privileges rather than the user intended. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-1000082 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2017-15908 CVE STATUS: Patched CVE SUMMARY: In systemd 223 through 235, a remote DNS server can respond with a custom crafted DNS NSEC resource record to trigger an infinite loop in the dns_packet_read_type_window() function of the 'systemd-resolved' service and cause a DoS of the affected service. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15908 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2017-18078 CVE STATUS: Patched CVE SUMMARY: systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18078 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2017-9217 CVE STATUS: Patched CVE SUMMARY: systemd-resolved through 233 allows remote attackers to cause a denial of service (daemon crash) via a crafted DNS response with an empty question section. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9217 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2017-9445 CVE STATUS: Patched CVE SUMMARY: In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9445 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2018-1049 CVE STATUS: Patched CVE SUMMARY: In systemd prior to 234 a race condition exists between .mount and .automount units such that automount requests from kernel may not be serviced by systemd resulting in kernel holding the mountpoint and any processes that try to use said mount will hang. A race condition like this may lead to denial of service, until mount points are unmounted. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1049 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2018-15686 CVE STATUS: Patched CVE SUMMARY: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15686 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2018-15687 CVE STATUS: Patched CVE SUMMARY: A race condition in chown_one() of systemd allows an attacker to cause systemd to set arbitrary permissions on arbitrary files. Affected releases are systemd versions up to and including 239. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15687 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2018-15688 CVE STATUS: Patched CVE SUMMARY: A buffer overflow vulnerability in the dhcp6 client of systemd allows a malicious dhcp6 server to overwrite heap memory in systemd-networkd. Affected releases are systemd: versions up to and including 239. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15688 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2018-16864 CVE STATUS: Patched CVE SUMMARY: An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when a program with long command line arguments calls syslog. A local attacker may use this flaw to crash systemd-journald or escalate his privileges. Versions through v240 are vulnerable. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16864 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2018-16865 CVE STATUS: Patched CVE SUMMARY: An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges. Versions through v240 are vulnerable. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16865 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2018-16866 CVE STATUS: Patched CVE SUMMARY: An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16866 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2018-16888 CVE STATUS: Patched CVE SUMMARY: It was discovered systemd does not correctly check the content of PIDFile files before using it to kill processes. When a service is run from an unprivileged user (e.g. User field set in the service file), a local attacker who is able to write to the PIDFile of the mentioned service may use this flaw to trick systemd into killing other services and/or privileged processes. Versions before v237 are vulnerable. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16888 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2018-20839 CVE STATUS: Patched CVE SUMMARY: systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20839 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2018-21029 CVE STATUS: Patched CVE SUMMARY: systemd 239 through 245 accepts any certificate signed by a trusted certificate authority for DNS Over TLS. Server Name Indication (SNI) is not sent, and there is no hostname validation with the GnuTLS backend. NOTE: This has been disputed by the developer as not a vulnerability since hostname validation does not have anything to do with this issue (i.e. there is no hostname to be sent) CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-21029 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2018-6954 CVE STATUS: Patched CVE SUMMARY: systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-6954 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2019-15718 CVE STATUS: Patched CVE SUMMARY: In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15718 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2019-20386 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 2.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20386 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2019-3842 CVE STATUS: Patched CVE SUMMARY: In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the "allow_active" element rather than "allow_any". CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 4.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3842 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2019-3843 CVE STATUS: Patched CVE SUMMARY: It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 4.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3843 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2019-3844 CVE STATUS: Patched CVE SUMMARY: It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 4.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3844 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2019-6454 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in sd-bus in systemd 239. bus_process_object() in libsystemd/sd-bus/bus-objects.c allocates a variable-length stack buffer for temporarily storing the object path of incoming D-Bus messages. An unprivileged local user can exploit this by sending a specially crafted message to PID1, causing the stack pointer to jump over the stack guard pages into an unmapped memory region and trigger a denial of service (systemd PID1 crash and kernel panic). CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6454 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2020-13529 CVE STATUS: Patched CVE SUMMARY: An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server. CVSS v2 BASE SCORE: 2.9 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13529 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2020-13776 CVE STATUS: Patched CVE SUMMARY: systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082. CVSS v2 BASE SCORE: 6.2 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13776 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2020-1712 CVE STATUS: Patched CVE SUMMARY: A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1712 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2021-33910 CVE STATUS: Patched CVE SUMMARY: basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33910 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2021-3997 CVE STATUS: Patched CVE SUMMARY: A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many nested directories are created in /tmp. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3997 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2022-2526 CVE STATUS: Patched CVE SUMMARY: A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2526 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2022-3821 CVE STATUS: Patched CVE SUMMARY: An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3821 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2022-4415 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4415 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2022-45873 CVE STATUS: Patched CVE SUMMARY: systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock. This must be done 16 times when MaxConnections=16 is set for the systemd/units/systemd-coredump.socket file. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-45873 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2023-26604 CVE STATUS: Patched CVE SUMMARY: systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-26604 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2023-31437 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31437 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2023-31438 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31438 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2023-31439 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-31439 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2023-7008 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-7008 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2025-4598 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-4598 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2026-29111 CVE STATUS: Unpatched CVE SUMMARY: systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-29111 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2026-40223 CVE STATUS: Patched CVE SUMMARY: In systemd 258 before 260, a local unprivileged user can trigger an assert when a Delegate=yes and User= unit exists and is running. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-40223 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2026-40224 CVE STATUS: Patched CVE SUMMARY: In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-40224 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2026-40225 CVE STATUS: Unpatched CVE SUMMARY: In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.4 CVSS v4 BASE SCORE: 0.0 VECTOR: PHYSICAL VECTORSTRING: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-40225 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2026-40226 CVE STATUS: Unpatched CVE SUMMARY: In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-40226 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2026-40227 CVE STATUS: Patched CVE SUMMARY: In systemd 260 before 261, a local unprivileged user can trigger an assert via an IPC API call with an array or map that has a null element. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-40227 LAYER: meta PACKAGE NAME: systemd PACKAGE VERSION: 1_255.21 CVE: CVE-2026-40228 CVE STATUS: Patched CVE SUMMARY: In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 2.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-40228 LAYER: meta-virtualization PACKAGE NAME: containerd-opencontainers PACKAGE VERSION: v2.0.7 CVE: CVE-2020-15157 CVE STATUS: Patched CVE SUMMARY: In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a “foreign layer”), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15157 LAYER: meta-virtualization PACKAGE NAME: containerd-opencontainers PACKAGE VERSION: v2.0.7 CVE: CVE-2020-15257 CVE STATUS: Patched CVE SUMMARY: containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the "host" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 5.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15257 LAYER: meta-virtualization PACKAGE NAME: containerd-opencontainers PACKAGE VERSION: v2.0.7 CVE: CVE-2021-21334 CVE STATUS: Patched CVE SUMMARY: In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-21334 LAYER: meta-virtualization PACKAGE NAME: containerd-opencontainers PACKAGE VERSION: v2.0.7 CVE: CVE-2021-32760 CVE STATUS: Patched CVE SUMMARY: containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 5.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-32760 LAYER: meta-virtualization PACKAGE NAME: containerd-opencontainers PACKAGE VERSION: v2.0.7 CVE: CVE-2021-41103 CVE STATUS: Patched CVE SUMMARY: containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. Users unable to update should limit access to the host to trusted users. Update directory permission on container bundles directories. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-41103 LAYER: meta-virtualization PACKAGE NAME: containerd-opencontainers PACKAGE VERSION: v2.0.7 CVE: CVE-2021-43816 CVE STATUS: Patched CVE SUMMARY: containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible. CVSS v2 BASE SCORE: 6.0 CVSS v3 BASE SCORE: 8.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-43816 LAYER: meta-virtualization PACKAGE NAME: containerd-opencontainers PACKAGE VERSION: v2.0.7 CVE: CVE-2022-23471 CVE STATUS: Patched CVE SUMMARY: containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23471 LAYER: meta-virtualization PACKAGE NAME: containerd-opencontainers PACKAGE VERSION: v2.0.7 CVE: CVE-2022-23648 CVE STATUS: Patched CVE SUMMARY: containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23648 LAYER: meta-virtualization PACKAGE NAME: containerd-opencontainers PACKAGE VERSION: v2.0.7 CVE: CVE-2022-31030 CVE STATUS: Patched CVE SUMMARY: containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-31030 LAYER: meta-virtualization PACKAGE NAME: containerd-opencontainers PACKAGE VERSION: v2.0.7 CVE: CVE-2023-25153 CVE STATUS: Patched CVE SUMMARY: containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25153 LAYER: meta-virtualization PACKAGE NAME: containerd-opencontainers PACKAGE VERSION: v2.0.7 CVE: CVE-2023-25173 CVE STATUS: Patched CVE SUMMARY: containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25173 LAYER: meta-virtualization PACKAGE NAME: containerd-opencontainers PACKAGE VERSION: v2.0.7 CVE: CVE-2024-25621 CVE STATUS: Patched CVE SUMMARY: containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-25621 LAYER: meta-virtualization PACKAGE NAME: containerd-opencontainers PACKAGE VERSION: v2.0.7 CVE: CVE-2024-40635 CVE STATUS: Patched CVE SUMMARY: containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-40635 LAYER: meta-virtualization PACKAGE NAME: containerd-opencontainers PACKAGE VERSION: v2.0.7 CVE: CVE-2025-47290 CVE STATUS: Patched CVE SUMMARY: containerd is a container runtime. A time-of-check to time-of-use (TOCTOU) vulnerability was found in containerd v2.1.0. While unpacking an image during an image pull, specially crafted container images could arbitrarily modify the host file system. The only affected version of containerd is 2.1.0. Other versions of containerd are not affected. This bug has been fixed in containerd 2.1.1. Users should update to this version to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 7.6 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-47290 LAYER: meta-virtualization PACKAGE NAME: containerd-opencontainers PACKAGE VERSION: v2.0.7 CVE: CVE-2025-47291 CVE STATUS: Patched CVE SUMMARY: containerd is an open-source container runtime. A bug was found in the containerd's CRI implementation where containerd, starting in version 2.0.1 and prior to version 2.0.5, doesn't put usernamespaced containers under the Kubernetes' cgroup hierarchy, therefore some Kubernetes limits are not honored. This may cause a denial of service of the Kubernetes node. This bug has been fixed in containerd 2.0.5+ and 2.1.0+. Users should update to these versions to resolve the issue. As a workaround, disable usernamespaced pods in Kubernetes temporarily. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 4.6 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-47291 LAYER: meta-virtualization PACKAGE NAME: containerd-opencontainers PACKAGE VERSION: v2.0.7 CVE: CVE-2025-64329 CVE STATUS: Patched CVE SUMMARY: containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 6.9 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-64329 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2001-1147 CVE STATUS: Patched CVE SUMMARY: The PAM implementation in /bin/login of the util-linux package before 2.11 causes a password entry to be rewritten across multiple PAM calls, which could provide the credentials of one user to a different user, when used in certain PAM modules such as pam_limits. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1147 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2001-1175 CVE STATUS: Patched CVE SUMMARY: vipw in the util-linux package before 2.10 causes /etc/shadow to be world-readable in some cases, which would make it easier for local users to perform brute force password guessing. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1175 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2001-1494 CVE STATUS: Patched CVE SUMMARY: script command in the util-linux package before 2.11n allows local users to overwrite arbitrary files by setting a hardlink from the typescript log file to any file on the system, then having root execute the script command. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1494 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2003-0094 CVE STATUS: Patched CVE SUMMARY: A patch for mcookie in the util-linux package for Mandrake Linux 8.2 and 9.0 uses /dev/urandom instead of /dev/random, which causes mcookie to use an entropy source that is more predictable than expected, which may make it easier for certain types of attacks to succeed. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0094 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2004-0080 CVE STATUS: Patched CVE SUMMARY: The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0080 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2005-2876 CVE STATUS: Patched CVE SUMMARY: umount in util-linux 2.8 to 2.12q, 2.13-pre1, and 2.13-pre2, and other packages such as loop-aes-utils, allows local users with unmount permissions to gain privileges via the -r (remount) option, which causes the file system to be remounted with just the read-only flag, which effectively clears the nosuid, nodev, and other flags. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2876 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2006-7108 CVE STATUS: Patched CVE SUMMARY: login in util-linux-2.12a skips pam_acct_mgmt and chauth_tok when authentication is skipped, such as when a Kerberos krlogin session has been established, which might allow users to bypass intended access policies that would be enforced by pam_acct_mgmt and chauth_tok. CVSS v2 BASE SCORE: 4.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-7108 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2007-5191 CVE STATUS: Patched CVE SUMMARY: mount and umount in util-linux and loop-aes-utils call the setuid and setgid functions in the wrong order and do not check the return values, which might allow attackers to gain privileges via helpers such as mount.nfs. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5191 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2008-1926 CVE STATUS: Patched CVE SUMMARY: Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an "addr=" statement to the login name, aka "audit log injection." CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1926 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2011-1675 CVE STATUS: Patched CVE SUMMARY: mount in util-linux 2.19 and earlier attempts to append to the /etc/mtab.tmp file without first checking whether resource limits would interfere, which allows local users to trigger corruption of the /etc/mtab file via a process with a small RLIMIT_FSIZE value, a related issue to CVE-2011-1089. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1675 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2011-1676 CVE STATUS: Patched CVE SUMMARY: mount in util-linux 2.19 and earlier does not remove the /etc/mtab.tmp file after a failed attempt to add a mount entry, which allows local users to trigger corruption of the /etc/mtab file via multiple invocations. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1676 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2011-1677 CVE STATUS: Patched CVE SUMMARY: mount in util-linux 2.19 and earlier does not remove the /etc/mtab~ lock file after a failed attempt to add a mount entry, which has unspecified impact and local attack vectors. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1677 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2013-0157 CVE STATUS: Patched CVE SUMMARY: (a) mount and (b) umount in util-linux 2.14.1, 2.17.2, and probably other versions allow local users to determine the existence of restricted directories by (1) using the --guess-fstype command-line option or (2) attempting to mount a non-existent device, which generates different error messages depending on whether the directory exists. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0157 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2014-9114 CVE STATUS: Patched CVE SUMMARY: Blkid in util-linux before 2.26rc-1 allows local users to execute arbitrary code. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9114 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2015-5218 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in text-utils/colcrt.c in colcrt in util-linux before 2.27 allows local users to cause a denial of service (crash) via a crafted file, related to the page global variable. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5218 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2015-5224 CVE STATUS: Patched CVE SUMMARY: The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5224 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2016-2779 CVE STATUS: Patched CVE SUMMARY: runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2779 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2016-5011 CVE STATUS: Patched CVE SUMMARY: The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 4.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5011 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2017-2616 CVE STATUS: Patched CVE SUMMARY: A race condition was found in util-linux before 2.32.1 in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2616 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2018-7738 CVE STATUS: Patched CVE SUMMARY: In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7738 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2020-21583 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in hwclock.13-v2.27 allows attackers to gain escalated privlidges or execute arbitrary commands via the path parameter when setting the date. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-21583 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2021-37600 CVE STATUS: Patched CVE SUMMARY: An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments. CVSS v2 BASE SCORE: 1.2 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-37600 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2021-3995 CVE STATUS: Patched CVE SUMMARY: A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows an unprivileged local attacker to unmount FUSE filesystems that belong to certain other users who have a UID that is a prefix of the UID of the attacker in its string form. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3995 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2021-3996 CVE STATUS: Patched CVE SUMMARY: A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows a local user on a vulnerable system to unmount other users' filesystems that are either world-writable themselves (like /tmp) or mounted in a world-writable directory. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3996 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2022-0563 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0563 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2024-28085 CVE STATUS: Patched CVE SUMMARY: wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-28085 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2026-27456 CVE STATUS: Unpatched CVE SUMMARY: util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-27456 LAYER: meta-xilinx-core PACKAGE NAME: util-linux PACKAGE VERSION: 2.40.4 CVE: CVE-2026-3184 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3184 LAYER: meta PACKAGE NAME: libksba PACKAGE VERSION: 1.6.6 CVE: CVE-2014-9087 CVE STATUS: Patched CVE SUMMARY: Integer underflow in the ksba_oid_to_str function in Libksba before 1.3.2, as used in GnuPG, allows remote attackers to cause a denial of service (crash) via a crafted OID in a (1) S/MIME message or (2) ECC based OpenPGP data, which triggers a buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9087 LAYER: meta PACKAGE NAME: libksba PACKAGE VERSION: 1.6.6 CVE: CVE-2016-4353 CVE STATUS: Patched CVE SUMMARY: ber-decoder.c in Libksba before 1.3.3 does not properly handle decoder stack overflows, which allows remote attackers to cause a denial of service (abort) via crafted BER data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4353 LAYER: meta PACKAGE NAME: libksba PACKAGE VERSION: 1.6.6 CVE: CVE-2016-4354 CVE STATUS: Patched CVE SUMMARY: ber-decoder.c in Libksba before 1.3.3 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (crash) via crafted BER data, which leads to a buffer overflow. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4354 LAYER: meta PACKAGE NAME: libksba PACKAGE VERSION: 1.6.6 CVE: CVE-2016-4355 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in ber-decoder.c in Libksba before 1.3.3 allow remote attackers to cause a denial of service (crash) via crafted BER data, which leads to a buffer overflow. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4355 LAYER: meta PACKAGE NAME: libksba PACKAGE VERSION: 1.6.6 CVE: CVE-2016-4356 CVE STATUS: Patched CVE SUMMARY: The append_utf8_value function in the DN decoder (dn.c) in Libksba before 1.3.3 allows remote attackers to cause a denial of service (out-of-bounds read) by clearing the high bit of the byte after invalid utf-8 encoded data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4356 LAYER: meta PACKAGE NAME: libksba PACKAGE VERSION: 1.6.6 CVE: CVE-2016-4574 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the append_utf8_value function in the DN decoder (dn.c) in Libksba before 1.3.4 allows remote attackers to cause a denial of service (out-of-bounds read) via invalid utf-8 encoded data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-4356. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4574 LAYER: meta PACKAGE NAME: libksba PACKAGE VERSION: 1.6.6 CVE: CVE-2016-4579 CVE STATUS: Patched CVE SUMMARY: Libksba before 1.3.4 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via unspecified vectors, related to the "returned length of the object from _ksba_ber_parse_tl." CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4579 LAYER: meta PACKAGE NAME: libksba PACKAGE VERSION: 1.6.6 CVE: CVE-2022-3515 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3515 LAYER: meta PACKAGE NAME: libksba PACKAGE VERSION: 1.6.6 CVE: CVE-2022-47629 CVE STATUS: Patched CVE SUMMARY: Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47629 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-1999-1010 CVE STATUS: Patched CVE SUMMARY: An SSH 1.2.27 server allows a client to use the "none" cipher, even if it is not allowed by the server policy. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-1999-1010 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2000-0143 CVE STATUS: Patched CVE SUMMARY: The SSH protocol server sshd allows local users without shell access to redirect a TCP connection through a service that uses the standard system password database for authentication, such as POP or FTP. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0143 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2000-0217 CVE STATUS: Patched CVE SUMMARY: The default configuration of SSH allows X forwarding, which could allow a remote attacker to control a client's X sessions via a malicious xauth program. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0217 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2000-0525 CVE STATUS: Patched CVE SUMMARY: OpenSSH does not properly drop privileges when the UseLogin option is enabled, which allows local users to execute arbitrary commands by providing the command to the ssh daemon. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0525 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2000-0992 CVE STATUS: Patched CVE SUMMARY: Directory traversal vulnerability in scp in sshd 1.2.xx allows a remote malicious scp server to overwrite arbitrary files via a .. (dot dot) attack. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0992 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2000-0999 CVE STATUS: Patched CVE SUMMARY: Format string vulnerabilities in OpenBSD ssh program (and possibly other BSD-based operating systems) allow attackers to gain root privileges. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-0999 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2000-1169 CVE STATUS: Patched CVE SUMMARY: OpenSSH SSH client before 2.3.0 does not properly disable X11 or agent forwarding, which could allow a malicious SSH server to gain access to the X11 display and sniff X11 events, or gain access to the ssh-agent. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2000-1169 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2001-0144 CVE STATUS: Patched CVE SUMMARY: CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer overflow. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0144 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2001-0361 CVE STATUS: Patched CVE SUMMARY: Implementations of SSH version 1.5, including (1) OpenSSH up to version 2.3.0, (2) AppGate, and (3) ssh-1 up to version 1.2.31, in certain configurations, allow a remote attacker to decrypt and/or alter traffic via a "Bleichenbacher attack" on PKCS#1 version 1.5. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0361 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2001-0529 CVE STATUS: Patched CVE SUMMARY: OpenSSH version 2.9 and earlier, with X forwarding enabled, allows a local attacker to delete any file named 'cookies' via a symlink attack. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0529 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2001-0572 CVE STATUS: Patched CVE SUMMARY: The SSH protocols 1 and 2 (aka SSH-2) as implemented in OpenSSH and other packages have various weaknesses which can allow a remote attacker to obtain the following information via sniffing: (1) password lengths or ranges of lengths, which simplifies brute force password guessing, (2) whether RSA or DSA authentication is being used, (3) the number of authorized_keys in RSA authentication, or (4) the lengths of shell commands. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0572 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2001-0816 CVE STATUS: Patched CVE SUMMARY: OpenSSH before 2.9.9, when running sftp using sftp-server and using restricted keypairs, allows remote authenticated users to bypass authorized_keys2 command= restrictions using sftp commands. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0816 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2001-0872 CVE STATUS: Patched CVE SUMMARY: OpenSSH 3.0.1 and earlier with UseLogin enabled does not properly cleanse critical environment variables such as LD_PRELOAD, which allows local users to gain root privileges. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-0872 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2001-1029 CVE STATUS: Patched CVE SUMMARY: libutil in OpenSSH on FreeBSD 4.4 and earlier does not drop privileges before verifying the capabilities for reading the copyright and welcome files, which allows local users to bypass the capabilities checks and read arbitrary files by specifying alternate copyright or welcome files. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1029 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2001-1380 CVE STATUS: Patched CVE SUMMARY: OpenSSH before 2.9.9, while using keypairs and multiple keys of different types in the ~/.ssh/authorized_keys2 file, may not properly handle the "from" option associated with a key, which could allow remote attackers to login from unauthorized IP addresses. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1380 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2001-1382 CVE STATUS: Patched CVE SUMMARY: The "echo simulation" traffic analysis countermeasure in OpenSSH before 2.9.9p2 sends an additional echo packet after the password and carriage return is entered, which could allow remote attackers to determine that the countermeasure is being used. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1382 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2001-1459 CVE STATUS: Patched CVE SUMMARY: OpenSSH 2.9 and earlier does not initiate a Pluggable Authentication Module (PAM) session if commands are executed with no pty, which allows local users to bypass resource limits (rlimits) set in pam.d. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1459 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2001-1507 CVE STATUS: Patched CVE SUMMARY: OpenSSH before 3.0.1 with Kerberos V enabled does not properly authenticate users, which could allow remote attackers to login unchallenged. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1507 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2001-1585 CVE STATUS: Patched CVE SUMMARY: SSH protocol 2 (aka SSH-2) public key authentication in the development snapshot of OpenSSH 2.3.1, available from 2001-01-18 through 2001-02-08, does not perform a challenge-response step to ensure that the client has the proper private key, which allows remote attackers to bypass authentication as other users by supplying a public key from that user's authorized_keys file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1585 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2002-0083 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0083 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2002-0575 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in OpenSSH before 2.9.9, and 3.x before 3.2.1, with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing enabled, allows remote and local authenticated users to gain privileges. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0575 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2002-0639 CVE STATUS: Patched CVE SUMMARY: Integer overflow in sshd in OpenSSH 2.9.9 through 3.3 allows remote attackers to execute arbitrary code during challenge response authentication (ChallengeResponseAuthentication) when OpenSSH is using SKEY or BSD_AUTH authentication. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0639 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2002-0640 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt). CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0640 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2002-0765 CVE STATUS: Patched CVE SUMMARY: sshd in OpenSSH 3.2.2, when using YP with netgroups and under certain conditions, may allow users to successfully authenticate and log in with another user's password. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-0765 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2003-0190 CVE STATUS: Patched CVE SUMMARY: OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0190 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2003-0386 CVE STATUS: Patched CVE SUMMARY: OpenSSH 3.6.1 and earlier, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass "from=" and "user@host" address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0386 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2003-0682 CVE STATUS: Patched CVE SUMMARY: "Memory bugs" in OpenSSH 3.7.1 and earlier, with unknown impact, a different set of vulnerabilities than CVE-2003-0693 and CVE-2003-0695. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0682 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2003-0693 CVE STATUS: Patched CVE SUMMARY: A "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0693 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2003-0695 CVE STATUS: Patched CVE SUMMARY: Multiple "buffer management errors" in OpenSSH before 3.7.1 may allow attackers to cause a denial of service or execute arbitrary code using (1) buffer_init in buffer.c, (2) buffer_free in buffer.c, or (3) a separate function in channels.c, a different vulnerability than CVE-2003-0693. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0695 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2003-0786 CVE STATUS: Patched CVE SUMMARY: The SSH1 PAM challenge response authentication in OpenSSH 3.7.1 and 3.7.1p1, when Privilege Separation is disabled, does not check the result of the authentication attempt, which can allow remote attackers to gain privileges. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0786 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2003-0787 CVE STATUS: Patched CVE SUMMARY: The PAM conversation function in OpenSSH 3.7.1 and 3.7.1p1 interprets an array of structures as an array of pointers, which allows attackers to modify the stack and possibly gain privileges. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0787 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2003-1562 CVE STATUS: Patched CVE SUMMARY: sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using PAM keyboard-interactive authentication, does not insert a delay after a root login attempt with the correct password, which makes it easier for remote attackers to use timing differences to determine if the password step of a multi-step authentication is successful, a different vulnerability than CVE-2003-0190. CVSS v2 BASE SCORE: 7.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-1562 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2004-0175 CVE STATUS: Patched CVE SUMMARY: Directory traversal vulnerability in scp for OpenSSH before 3.4p1 allows remote malicious servers to overwrite arbitrary files. NOTE: this may be a rediscovery of CVE-2000-0992. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-0175 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2004-1653 CVE STATUS: Patched CVE SUMMARY: The default configuration for OpenSSH enables AllowTcpForwarding, which could allow remote authenticated users to perform a port bounce, when configured with an anonymous access program such as AnonCVS. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-1653 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2004-2069 CVE STATUS: Patched CVE SUMMARY: sshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly other versions, when using privilege separation, does not properly signal the non-privileged process when a session has been terminated after exceeding the LoginGraceTime setting, which leaves the connection open and allows remote attackers to cause a denial of service (connection consumption). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2069 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2004-2760 CVE STATUS: Patched CVE SUMMARY: sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately closes the TCP connection after a root login attempt with the correct password, but leaves the connection open after an attempt with an incorrect password, which makes it easier for remote attackers to guess the password by observing the connection state, a different vulnerability than CVE-2003-0190. NOTE: it could be argued that in most environments, this does not cross privilege boundaries without requiring leverage of a separate vulnerability. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2004-2760 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2005-2666 CVE STATUS: Patched CVE SUMMARY: SSH, as implemented in OpenSSH before 4.0 and possibly other implementations, stores hostnames, IP addresses, and keys in plaintext in the known_hosts file, which makes it easier for an attacker that has compromised an SSH user's account to generate a list of additional targets that are more likely to have the same password or key. CVSS v2 BASE SCORE: 1.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2666 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2005-2797 CVE STATUS: Patched CVE SUMMARY: OpenSSH 4.0, and other versions before 4.2, does not properly handle dynamic port forwarding ("-D" option) when a listen address is not provided, which may cause OpenSSH to enable the GatewayPorts functionality. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2797 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2005-2798 CVE STATUS: Patched CVE SUMMARY: sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2798 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2006-0225 CVE STATUS: Patched CVE SUMMARY: scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0225 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2006-0883 CVE STATUS: Patched CVE SUMMARY: OpenSSH on FreeBSD 5.3 and 5.4, when used with OpenPAM, does not properly handle when a forked child process terminates during PAM authentication, which allows remote attackers to cause a denial of service (client connection refusal) by connecting multiple times to the SSH server, waiting for the password prompt, then disconnecting. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-0883 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2006-4924 CVE STATUS: Patched CVE SUMMARY: sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4924 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2006-4925 CVE STATUS: Patched CVE SUMMARY: packet.c in ssh in OpenSSH allows remote attackers to cause a denial of service (crash) by sending an invalid protocol sequence with USERAUTH_SUCCESS before NEWKEYS, which causes newkeys[mode] to be NULL. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4925 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2006-5051 CVE STATUS: Patched CVE SUMMARY: Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5051 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2006-5052 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in portable OpenSSH before 4.4, when running on some platforms, allows remote attackers to determine the validity of usernames via unknown vectors involving a GSSAPI "authentication abort." CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5052 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2006-5229 CVE STATUS: Patched CVE SUMMARY: OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine valid usernames via timing discrepancies in which responses take longer for valid usernames than invalid ones, as demonstrated by sshtime. NOTE: as of 20061014, it appears that this issue is dependent on the use of manually-set passwords that causes delays when processing /etc/shadow due to an increased number of rounds. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5229 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2006-5794 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5794 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2007-2243 CVE STATUS: Patched CVE SUMMARY: OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2243 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2007-2768 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: This CVE is specific to OpenSSH with the pam opie which we don't build/use here. CVE SUMMARY: OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2768 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2007-3102 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-3102 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2007-4654 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in SSHield 1.6.1 with OpenSSH 3.0.2p1 on Cisco WebNS 8.20.0.1 on Cisco Content Services Switch (CSS) series 11000 devices allows remote attackers to cause a denial of service (connection slot exhaustion and device crash) via a series of large packets designed to exploit the SSH CRC32 attack detection overflow (CVE-2001-0144), possibly a related issue to CVE-2002-1024. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4654 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2007-4752 CVE STATUS: Patched CVE SUMMARY: ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-4752 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2008-1483 CVE STATUS: Patched CVE SUMMARY: OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1483 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2008-1657 CVE STATUS: Patched CVE SUMMARY: OpenSSH 4.4 up to versions before 4.9 allows remote authenticated users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc session file. CVSS v2 BASE SCORE: 6.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1657 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2008-3234 CVE STATUS: Patched CVE SUMMARY: sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username. CVSS v2 BASE SCORE: 6.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3234 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2008-3259 CVE STATUS: Patched CVE SUMMARY: OpenSSH before 5.1 sets the SO_REUSEADDR socket option when the X11UseLocalhost configuration setting is disabled, which allows local users on some platforms to hijack the X11 forwarding port via a bind to a single IP address, as demonstrated on the HP-UX platform. CVSS v2 BASE SCORE: 1.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3259 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2008-3844 CVE STATUS: Ignored CVE DETAIL: not-applicable-platform CVE DESCRIPTION: Only applies to some distributed RHEL binaries. CVE SUMMARY: Certain Red Hat Enterprise Linux (RHEL) 4 and 5 packages for OpenSSH, as signed in August 2008 using a legitimate Red Hat GPG key, contain an externally introduced modification (Trojan Horse) that allows the package authors to have an unknown impact. NOTE: since the malicious packages were not distributed from any official Red Hat sources, the scope of this issue is restricted to users who may have obtained these packages through unofficial distribution points. As of 20080827, no unofficial distributions of this software are known. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-3844 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2008-4109 CVE STATUS: Patched CVE SUMMARY: A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch; before 4.6p1-1 on sid and lenny; and on other distributions such as SUSE uses functions that are not async-signal-safe in the signal handler for login timeouts, which allows remote attackers to cause a denial of service (connection slot exhaustion) via multiple login attempts. NOTE: this issue exists because of an incorrect fix for CVE-2006-5051. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4109 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2008-5161 CVE STATUS: Patched CVE SUMMARY: Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5161 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2009-2904 CVE STATUS: Patched CVE SUMMARY: A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-2904 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2010-4478 CVE STATUS: Patched CVE SUMMARY: OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol, a related issue to CVE-2010-4252. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4478 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2010-4755 CVE STATUS: Patched CVE SUMMARY: The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-4755 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2010-5107 CVE STATUS: Patched CVE SUMMARY: The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-5107 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2011-0539 CVE STATUS: Patched CVE SUMMARY: The key_certify function in usr.bin/ssh/key.c in OpenSSH 5.6 and 5.7, when generating legacy certificates using the -t command-line option in ssh-keygen, does not initialize the nonce field, which might allow remote attackers to obtain sensitive stack memory contents or make it easier to conduct hash collision attacks. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0539 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2011-4327 CVE STATUS: Patched CVE SUMMARY: ssh-keysign.c in ssh-keysign in OpenSSH before 5.8p2 on certain platforms executes ssh-rand-helper with unintended open file descriptors, which allows local users to obtain sensitive key information via the ptrace system call. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4327 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2011-5000 CVE STATUS: Patched CVE SUMMARY: The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and earlier, when gssapi-with-mic authentication is enabled, allows remote authenticated users to cause a denial of service (memory consumption) via a large value in a certain length field. NOTE: there may be limited scenarios in which this issue is relevant. CVSS v2 BASE SCORE: 3.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-5000 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2012-0814 CVE STATUS: Patched CVE SUMMARY: The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorized_keys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by the shared user account required by Gitolite. NOTE: this can cross privilege boundaries because a user account may intentionally have no shell or filesystem access, and therefore may have no supported way to read an authorized_keys file in its own home directory. CVSS v2 BASE SCORE: 3.5 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0814 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2013-4548 CVE STATUS: Patched CVE SUMMARY: The mm_newkeys_from_blob function in monitor_wrap.c in sshd in OpenSSH 6.2 and 6.3, when an AES-GCM cipher is used, does not properly initialize memory for a MAC context data structure, which allows remote authenticated users to bypass intended ForceCommand and login-shell restrictions via packet data that provides a crafted callback address. CVSS v2 BASE SCORE: 6.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4548 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2014-1692 CVE STATUS: Patched CVE SUMMARY: The hash_buffer function in schnorr.c in OpenSSH through 6.4, when Makefile.inc is modified to enable the J-PAKE protocol, does not initialize certain data structures, which might allow remote attackers to cause a denial of service (memory corruption) or have unspecified other impact via vectors that trigger an error condition. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-1692 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2014-2532 CVE STATUS: Patched CVE SUMMARY: sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 4.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2532 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2014-2653 CVE STATUS: Patched CVE SUMMARY: The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2653 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2014-9278 CVE STATUS: Ignored CVE DETAIL: not-applicable-platform CVE DESCRIPTION: This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment CVE SUMMARY: The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9278 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2015-5352 CVE STATUS: Patched CVE SUMMARY: The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time window. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5352 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2015-5600 CVE STATUS: Patched CVE SUMMARY: The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list. CVSS v2 BASE SCORE: 8.5 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5600 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2015-6563 CVE STATUS: Patched CVE SUMMARY: The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the sshd uid to send a crafted MONITOR_REQ_PWNAM request, related to monitor.c and monitor_wrap.c. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 6.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6563 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2015-6564 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on non-OpenBSD platforms might allow local users to gain privileges by leveraging control of the sshd uid to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6564 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2015-6565 CVE STATUS: Patched CVE SUMMARY: sshd in OpenSSH 6.8 and 6.9 uses world-writable permissions for TTY devices, which allows local users to cause a denial of service (terminal disruption) or possibly have unspecified other impact by writing to a device, as demonstrated by writing an escape sequence. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6565 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2015-8325 CVE STATUS: Patched CVE SUMMARY: The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8325 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2016-0777 CVE STATUS: Patched CVE SUMMARY: The resend_bytes function in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2 allows remote servers to obtain sensitive information from process memory by requesting transmission of an entire buffer, as demonstrated by reading a private key. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0777 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2016-0778 CVE STATUS: Patched CVE SUMMARY: The (1) roaming_read and (2) roaming_write functions in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2, when certain proxy and forward options are enabled, do not properly maintain connection file descriptors, which allows remote servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact by requesting many forwardings. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0778 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2016-10009 CVE STATUS: Patched CVE SUMMARY: Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10009 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2016-10010 CVE STATUS: Patched CVE SUMMARY: sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10010 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2016-10011 CVE STATUS: Patched CVE SUMMARY: authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10011 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2016-10012 CVE STATUS: Patched CVE SUMMARY: The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10012 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2016-10708 CVE STATUS: Patched CVE SUMMARY: sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10708 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2016-1907 CVE STATUS: Patched CVE SUMMARY: The ssh_packet_read_poll2 function in packet.c in OpenSSH before 7.1p2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted network traffic. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1907 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2016-1908 CVE STATUS: Patched CVE SUMMARY: The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1908 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2016-20012 CVE STATUS: Patched CVE SUMMARY: OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-20012 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2016-3115 CVE STATUS: Patched CVE SUMMARY: Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions. CVSS v2 BASE SCORE: 5.5 CVSS v3 BASE SCORE: 6.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3115 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2016-6210 CVE STATUS: Patched CVE SUMMARY: sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6210 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2016-6515 CVE STATUS: Patched CVE SUMMARY: The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6515 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2016-8858 CVE STATUS: Patched CVE SUMMARY: The kex_input_kexinit function in kex.c in OpenSSH 6.x and 7.x through 7.3 allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests. NOTE: a third party reports that "OpenSSH upstream does not consider this as a security issue." CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8858 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2017-15906 CVE STATUS: Patched CVE SUMMARY: The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15906 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2018-15473 CVE STATUS: Patched CVE SUMMARY: OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15473 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2018-15919 CVE STATUS: Patched CVE SUMMARY: Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.' CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15919 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2018-20685 CVE STATUS: Patched CVE SUMMARY: In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20685 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2019-16905 CVE STATUS: Patched CVE SUMMARY: OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-16905 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2019-6109 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6109 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2019-6110 CVE STATUS: Patched CVE SUMMARY: In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6110 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2019-6111 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file). CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6111 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2020-12062 CVE STATUS: Patched CVE SUMMARY: The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that "this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol" and "utimes does not fail under normal circumstances. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12062 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2020-14145 CVE STATUS: Patched CVE SUMMARY: The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14145 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2020-15778 CVE STATUS: Patched CVE SUMMARY: scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows." CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15778 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2021-28041 CVE STATUS: Patched CVE SUMMARY: ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-28041 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2021-36368 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf. NOTE: the vendor's position is "this is not an authentication bypass, since nothing is being bypassed. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-36368 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2021-41617 CVE STATUS: Patched CVE SUMMARY: sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-41617 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2023-25136 CVE STATUS: Patched CVE SUMMARY: OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible." CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-25136 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2023-28531 CVE STATUS: Patched CVE SUMMARY: ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-28531 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2023-38408 CVE STATUS: Patched CVE SUMMARY: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-38408 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2023-48795 CVE STATUS: Patched CVE SUMMARY: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-48795 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2023-51384 CVE STATUS: Patched CVE SUMMARY: In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51384 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2023-51385 CVE STATUS: Patched CVE SUMMARY: In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51385 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2023-51767 CVE STATUS: Ignored CVE DETAIL: upstream-wontfix CVE DESCRIPTION: It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1. CVE SUMMARY: OpenSSH through 10.0, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges. NOTE: this is disputed by the Supplier, who states "we do not consider it to be the application's responsibility to defend against platform architectural weaknesses." CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-51767 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2024-39894 CVE STATUS: Patched CVE SUMMARY: OpenSSH 9.5 through 9.7 before 9.8 sometimes allows timing attacks against echo-off password entry (e.g., for su and Sudo) because of an ObscureKeystrokeTiming logic error. Similarly, other timing attacks against keystroke entry could occur. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-39894 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2024-6387 CVE STATUS: Patched CVE SUMMARY: A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-6387 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2025-26465 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-26465 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2025-26466 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-26466 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2025-32728 CVE STATUS: Patched CVE SUMMARY: In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32728 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2025-61984 CVE STATUS: Patched CVE SUMMARY: ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.) CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-61984 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2025-61985 CVE STATUS: Patched CVE SUMMARY: ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-61985 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2026-3497 CVE STATUS: Unpatched CVE SUMMARY: Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 6.9 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3497 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2026-35385 CVE STATUS: Unpatched CVE SUMMARY: In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-35385 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2026-35386 CVE STATUS: Unpatched CVE SUMMARY: In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.6 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-35386 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2026-35387 CVE STATUS: Unpatched CVE SUMMARY: OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-35387 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2026-35388 CVE STATUS: Unpatched CVE SUMMARY: OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 2.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-35388 LAYER: meta PACKAGE NAME: openssh PACKAGE VERSION: 9.6p1 CVE: CVE-2026-35414 CVE STATUS: Unpatched CVE SUMMARY: OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.2 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-35414 LAYER: meta PACKAGE NAME: alsa-lib PACKAGE VERSION: 1.2.11 CVE: CVE-2005-0087 CVE STATUS: Patched CVE SUMMARY: The alsa-lib package in Red Hat Linux 4 disables stack protection for the libasound.so library, which makes it easier for attackers to execute arbitrary code if there are other vulnerabilities in the library. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0087 LAYER: meta PACKAGE NAME: dmidecode PACKAGE VERSION: 3.5 CVE: CVE-2023-30630 CVE STATUS: Patched CVE SUMMARY: Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because, for example, execution of Dmidecode via Sudo is plausible. NOTE: Some third parties have indicated the fix in 3.5 does not adequately address the vulnerability. The argument is that the proposed patch prevents dmidecode from writing to an existing file. However, there are multiple attack vectors that would not require overwriting an existing file that would provide the same level of unauthorized privilege escalation (e.g. creating a new file in /etc/cron.hourly). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-30630 LAYER: meta PACKAGE NAME: libdnf PACKAGE VERSION: 0.73.2 CVE: CVE-2021-3445 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3445 LAYER: meta PACKAGE NAME: libxrandr PACKAGE VERSION: 1_1.5.4 CVE: CVE-2013-1986 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in X.org libXrandr 1.4.0 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XRRQueryOutputProperty and (2) XRRQueryProviderProperty functions. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-1986 LAYER: meta PACKAGE NAME: libxrandr PACKAGE VERSION: 1_1.5.4 CVE: CVE-2016-7947 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in X.org libXrandr before 1.5.1 allow remote X servers to trigger out-of-bounds write operations via a crafted response. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7947 LAYER: meta PACKAGE NAME: libxrandr PACKAGE VERSION: 1_1.5.4 CVE: CVE-2016-7948 CVE STATUS: Patched CVE SUMMARY: X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7948 LAYER: meta-oe PACKAGE NAME: dhrystone PACKAGE VERSION: 2.1 CVE: CVE-2020-23026 CVE STATUS: Unpatched CVE SUMMARY: A NULL pointer dereference in the main() function dhry_1.c of dhrystone 2.1 causes a denial of service (DoS). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-23026 LAYER: meta-oe PACKAGE NAME: fwupd PACKAGE VERSION: 1.9.18 CVE: CVE-2022-3287 CVE STATUS: Patched CVE SUMMARY: When creating an OPERATOR user account on the BMC, the redfish plugin saved the auto-generated password to /etc/fwupd/redfish.conf without proper restriction, allowing any user on the system to read the same configuration file. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3287 LAYER: meta PACKAGE NAME: libxdmcp PACKAGE VERSION: 1_1.1.4 CVE: CVE-2017-2625 CVE STATUS: Patched CVE SUMMARY: It was discovered that libXdmcp before 1.1.2 including used weak entropy to generate session keys. On a multi-user system using xdmcp, a local attacker could potentially use information available from the process list to brute force the key, allowing them to hijack other users' sessions. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2625 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2002-1170 CVE STATUS: Patched CVE SUMMARY: The handle_var_requests function in snmp_agent.c for the SNMP daemon in the Net-SNMP (formerly ucd-snmp) package 5.0.1 through 5.0.5 allows remote attackers to cause a denial of service (crash) via a NULL dereference. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2002-1170 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2003-0935 CVE STATUS: Patched CVE SUMMARY: Net-SNMP before 5.0.9 allows a user or community to access data in MIB objects, even if that data is not allowed to be viewed. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0935 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2005-1740 CVE STATUS: Patched CVE SUMMARY: fixproc in Net-snmp 5.x before 5.2.1-r1 creates temporary files insecurely, which allows local users to modify the contents of those files to execute arbitrary commands, or overwrite arbitrary files via a symlink attack. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-1740 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2005-2177 CVE STATUS: Patched CVE SUMMARY: Net-SNMP 5.0.x before 5.0.10.2, 5.2.x before 5.2.1.2, and 5.1.3, when net-snmp is using stream sockets such as TCP, allows remote attackers to cause a denial of service (daemon hang and CPU consumption) via a TCP packet of length 1, which triggers an infinite loop. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2177 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2005-2811 CVE STATUS: Patched CVE SUMMARY: Untrusted search path vulnerability in Net-SNMP 5.2.1.2 and earlier, on Gentoo Linux, installs certain Perl modules with an insecure DT_RPATH, which could allow local users to gain privileges. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-2811 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2005-4837 CVE STATUS: Patched CVE SUMMARY: snmp_api.c in snmpd in Net-SNMP 5.2.x before 5.2.2, 5.1.x before 5.1.3, and 5.0.x before 5.0.10.2, when running in master agentx mode, allows remote attackers to cause a denial of service (crash) by causing a particular TCP disconnect, which triggers a free of an incorrect variable, a different vulnerability than CVE-2005-2177. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4837 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2006-6305 CVE STATUS: Patched CVE SUMMARY: Unspecified vulnerability in Net-SNMP 5.3 before 5.3.0.1, when configured using the rocommunity or rouser snmpd.conf tokens, causes Net-SNMP to grant write access to users or communities that only have read-only access. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-6305 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2007-5846 CVE STATUS: Patched CVE SUMMARY: The SNMP agent (snmp_agent.c) in net-snmp before 5.4.1 allows remote attackers to cause a denial of service (CPU and memory consumption) via a GETBULK request with a large max-repeaters value. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5846 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2008-2292 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the __snprint_value function in snmp_get in Net-SNMP 5.1.4, 5.2.4, and 5.4.1, as used in SNMP.xs for Perl, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large OCTETSTRING in an attribute value pair (AVP). CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2292 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2008-4309 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4309 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2008-6123 CVE STATUS: Patched CVE SUMMARY: The netsnmp_udp_fmtaddr function (snmplib/snmpUDPDomain.c) in net-snmp 5.0.9 through 5.4.2.1, when using TCP wrappers for client authorization, does not properly parse hosts.allow rules, which allows remote attackers to bypass intended access restrictions and execute SNMP queries, related to "source/destination IP address confusion." CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-6123 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2009-1887 CVE STATUS: Patched CVE SUMMARY: agent/snmp_agent.c in snmpd in net-snmp 5.0.9 in Red Hat Enterprise Linux (RHEL) 3 allows remote attackers to cause a denial of service (daemon crash) via a crafted SNMP GETBULK request that triggers a divide-by-zero error. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-4309. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-1887 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2012-2141 CVE STATUS: Patched CVE SUMMARY: Array index error in the handle_nsExtendOutput2Table function in agent/mibgroup/agent/extend.c in Net-SNMP 5.7.1 allows remote authenticated users to cause a denial of service (out-of-bounds read and snmpd crash) via an SNMP GET request for an entry not in the extension table. CVSS v2 BASE SCORE: 3.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2141 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2012-6151 CVE STATUS: Patched CVE SUMMARY: Net-SNMP 5.7.1 and earlier, when AgentX is registering to handle a MIB and processing GETNEXT requests, allows remote attackers to cause a denial of service (crash or infinite loop, CPU consumption, and hang) by causing the AgentX subagent to timeout. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6151 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2014-2284 CVE STATUS: Patched CVE SUMMARY: The Linux implementation of the ICMP-MIB in Net-SNMP 5.5 before 5.5.2.1, 5.6.x before 5.6.2.1, and 5.7.x before 5.7.2.1 does not properly validate input, which allows remote attackers to cause a denial of service via unspecified vectors. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2284 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2014-2285 CVE STATUS: Patched CVE SUMMARY: The perl_trapd_handler function in perl/TrapReceiver/TrapReceiver.xs in Net-SNMP 5.7.3.pre3 and earlier, when using certain Perl versions, allows remote attackers to cause a denial of service (snmptrapd crash) via an empty community string in an SNMP trap, which triggers a NULL pointer dereference within the newSVpv function in Perl. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2285 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2014-2310 CVE STATUS: Patched CVE SUMMARY: The AgentX subagent in Net-SNMP before 5.4.4 allows remote attackers to cause a denial of service (hang) by sending a multi-object request with an Object ID (OID) containing more subids than previous requests, a different vulnerability than CVE-2012-6151. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2310 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2014-3565 CVE STATUS: Patched CVE SUMMARY: snmplib/mib.c in net-snmp 5.7.0 and earlier, when the -OQ option is used, allows remote attackers to cause a denial of service (snmptrapd crash) via a crafted SNMP trap message, which triggers a conversion to the variable type designated in the MIB file, as demonstrated by a NULL type in an ifMtu trap message. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3565 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2015-5621 CVE STATUS: Patched CVE SUMMARY: The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and earlier does not remove the varBind variable in a netsnmp_variable_list item when parsing of the SNMP PDU fails, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5621 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2015-8100 CVE STATUS: Patched CVE SUMMARY: The net-snmp package in OpenBSD through 5.8 uses 0644 permissions for snmpd.conf, which allows local users to obtain sensitive community information by reading this file. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8100 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2018-1000116 CVE STATUS: Patched CVE SUMMARY: NET-SNMP version 5.7.2 contains a heap corruption vulnerability in the UDP protocol handler that can result in command execution. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-1000116 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2018-18065 CVE STATUS: Patched CVE SUMMARY: _set_key in agent/helpers/table_container.c in Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be used by an authenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18065 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2018-18066 CVE STATUS: Patched CVE SUMMARY: snmp_oid_compare in snmplib/snmp_api.c in Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be used by an unauthenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18066 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2019-20892 CVE STATUS: Patched CVE SUMMARY: net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request. NOTE: this affects net-snmp packages shipped to end users by multiple Linux distributions, but might not affect an upstream release. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20892 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2020-15861 CVE STATUS: Patched CVE SUMMARY: Net-SNMP through 5.7.3 allows Escalation of Privileges because of UNIX symbolic link (symlink) following. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15861 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2020-15862 CVE STATUS: Patched CVE SUMMARY: Net-SNMP through 5.8 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB provides the ability to run arbitrary commands as root. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15862 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2022-24805 CVE STATUS: Patched CVE SUMMARY: net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a buffer overflow in the handling of the `INDEX` of `NET-SNMP-VACM-MIB` can cause an out-of-bounds memory access. A user with read-only credentials can exploit the issue. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24805 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2022-24806 CVE STATUS: Patched CVE SUMMARY: net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can exploit an Improper Input Validation vulnerability when SETing malformed OIDs in master agent and subagent simultaneously. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24806 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2022-24807 CVE STATUS: Patched CVE SUMMARY: net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a malformed OID in a SET request to `SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable` can cause an out-of-bounds memory access. A user with read-write credentials can exploit the issue. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24807 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2022-24808 CVE STATUS: Patched CVE SUMMARY: net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can use a malformed OID in a `SET` request to `NET-SNMP-AGENT-MIB::nsLogTable` to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24808 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2022-24809 CVE STATUS: Patched CVE SUMMARY: net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-only credentials can use a malformed OID in a `GET-NEXT` to the `nsVacmAccessTable` to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24809 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2022-24810 CVE STATUS: Patched CVE SUMMARY: net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can use a malformed OID in a SET to the nsVacmAccessTable to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-24810 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2022-44792 CVE STATUS: Patched CVE SUMMARY: handle_ipDefaultTTL in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.8 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker (who has write access) to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-44792 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2022-44793 CVE STATUS: Patched CVE SUMMARY: handle_ipv6IpForwarding in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.4.3 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-44793 LAYER: meta-networking PACKAGE NAME: net-snmp PACKAGE VERSION: 5.9.4 CVE: CVE-2025-68615 CVE STATUS: Patched CVE SUMMARY: net-snmp is a SNMP application library, tools and daemon. Prior to versions 5.9.5 and 5.10.pre2, a specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash. This issue has been patched in versions 5.9.5 and 5.10.pre2. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-68615 LAYER: meta-oe PACKAGE NAME: hwloc PACKAGE VERSION: 2.9.3 CVE: CVE-2022-47022 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in open-mpi hwloc 2.1.0 allows attackers to cause a denial of service or other unspecified impacts via glibc-cpuset in topology-linux.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-47022 LAYER: meta PACKAGE NAME: libice PACKAGE VERSION: 1_1.1.1 CVE: CVE-2017-2626 CVE STATUS: Patched CVE SUMMARY: It was discovered that libICE before 1.0.9-8 used a weak entropy to generate keys. A local attacker could potentially use this flaw for session hijacking using the information available from the process list. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2626 LAYER: meta-python PACKAGE NAME: python3-twisted PACKAGE VERSION: 24.3.0 CVE: CVE-2024-41671 CVE STATUS: Patched CVE SUMMARY: Twisted is an event-based framework for internet applications, supporting Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. This vulnerability is fixed in 24.7.0rc1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41671 LAYER: meta-python PACKAGE NAME: python3-twisted PACKAGE VERSION: 24.3.0 CVE: CVE-2024-41810 CVE STATUS: Patched CVE SUMMARY: Twisted is an event-based framework for internet applications, supporting Python 3.6+. The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-41810 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2009-3560 CVE STATUS: Patched CVE SUMMARY: The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c, a different vulnerability than CVE-2009-2625 and CVE-2009-3720. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3560 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2009-3720 CVE STATUS: Patched CVE SUMMARY: The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3720 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2012-0876 CVE STATUS: Patched CVE SUMMARY: The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0876 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2012-1147 CVE STATUS: Patched CVE SUMMARY: readfilemap.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (file descriptor consumption) via a large number of crafted XML files. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1147 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2012-1148 CVE STATUS: Patched CVE SUMMARY: Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (memory consumption) via a large number of crafted XML files that cause improperly-handled reallocation failures when expanding entities. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-1148 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2012-6702 CVE STATUS: Patched CVE SUMMARY: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6702 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2013-0340 CVE STATUS: Patched CVE SUMMARY: expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-0340 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2015-1283 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1283 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2016-0718 CVE STATUS: Patched CVE SUMMARY: Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-0718 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2016-4472 CVE STATUS: Patched CVE SUMMARY: The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4472 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2016-5300 CVE STATUS: Patched CVE SUMMARY: The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5300 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2017-11742 CVE STATUS: Patched CVE SUMMARY: The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Windows allows local users to gain privileges via a Trojan horse ADVAPI32.DLL in the current working directory because of an untrusted search path, aka DLL hijacking. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11742 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2017-9233 CVE STATUS: Patched CVE SUMMARY: XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external DTD. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9233 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2018-20843 CVE STATUS: Patched CVE SUMMARY: In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20843 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2019-15903 CVE STATUS: Patched CVE SUMMARY: In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15903 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2021-45960 CVE STATUS: Patched CVE SUMMARY: In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory). CVSS v2 BASE SCORE: 9.0 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-45960 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2021-46143 CVE STATUS: Patched CVE SUMMARY: In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-46143 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2022-22822 CVE STATUS: Patched CVE SUMMARY: addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22822 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2022-22823 CVE STATUS: Patched CVE SUMMARY: build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22823 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2022-22824 CVE STATUS: Patched CVE SUMMARY: defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22824 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2022-22825 CVE STATUS: Patched CVE SUMMARY: lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22825 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2022-22826 CVE STATUS: Patched CVE SUMMARY: nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22826 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2022-22827 CVE STATUS: Patched CVE SUMMARY: storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-22827 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2022-23852 CVE STATUS: Patched CVE SUMMARY: Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23852 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2022-23990 CVE STATUS: Patched CVE SUMMARY: Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-23990 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2022-25235 CVE STATUS: Patched CVE SUMMARY: xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25235 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2022-25236 CVE STATUS: Patched CVE SUMMARY: xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25236 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2022-25313 CVE STATUS: Patched CVE SUMMARY: In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25313 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2022-25314 CVE STATUS: Patched CVE SUMMARY: In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25314 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2022-25315 CVE STATUS: Patched CVE SUMMARY: In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-25315 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2022-40674 CVE STATUS: Patched CVE SUMMARY: libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-40674 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2022-43680 CVE STATUS: Patched CVE SUMMARY: In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-43680 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2023-52425 CVE STATUS: Patched CVE SUMMARY: libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52425 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2023-52426 CVE STATUS: Patched CVE SUMMARY: libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-52426 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2024-28757 CVE STATUS: Patched CVE SUMMARY: libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-28757 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2024-45490 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45490 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2024-45491 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45491 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2024-45492 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-45492 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2024-50602 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-50602 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2024-8176 CVE STATUS: Patched CVE SUMMARY: A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-8176 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2025-59375 CVE STATUS: Patched CVE SUMMARY: libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-59375 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2025-66382 CVE STATUS: Unpatched CVE SUMMARY: In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 2.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-66382 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2026-24515 CVE STATUS: Patched CVE SUMMARY: In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 2.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-24515 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2026-25210 CVE STATUS: Patched CVE SUMMARY: In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-25210 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2026-32776 CVE STATUS: Unpatched CVE SUMMARY: libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-32776 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2026-32777 CVE STATUS: Unpatched CVE SUMMARY: libexpat before 2.7.5 allows an infinite loop while parsing DTD content. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-32777 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2026-32778 CVE STATUS: Unpatched CVE SUMMARY: libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 2.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-32778 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2026-41080 CVE STATUS: Unpatched CVE SUMMARY: libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 2.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-41080 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2026-45186 CVE STATUS: Unpatched CVE SUMMARY: In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 2.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-45186 LAYER: meta PACKAGE NAME: expat PACKAGE VERSION: 2.6.4 CVE: CVE-2026-50219 CVE STATUS: Unpatched CVE SUMMARY: libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur, CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.9 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-50219 LAYER: meta-oe PACKAGE NAME: jansson PACKAGE VERSION: 2.14 CVE: CVE-2013-6401 CVE STATUS: Patched CVE SUMMARY: Jansson, possibly 2.4 and earlier, does not restrict the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted JSON document. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6401 LAYER: meta-oe PACKAGE NAME: jansson PACKAGE VERSION: 2.14 CVE: CVE-2016-4425 CVE STATUS: Patched CVE SUMMARY: Jansson 2.7 and earlier allows context-dependent attackers to cause a denial of service (deep recursion, stack consumption, and crash) via crafted JSON data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4425 LAYER: meta-oe PACKAGE NAME: jansson PACKAGE VERSION: 2.14 CVE: CVE-2020-36325 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in Jansson through 2.13.1. Due to a parsing error in json_loads, there's an out-of-bounds read-access bug. NOTE: the vendor reports that this only occurs when a programmer fails to follow the API specification CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-36325 LAYER: meta PACKAGE NAME: logrotate PACKAGE VERSION: 3.21.0 CVE: CVE-2011-1098 CVE STATUS: Patched CVE SUMMARY: Race condition in the createOutputFile function in logrotate.c in logrotate 3.7.9 and earlier allows local users to read log data by opening a file before the intended permissions are in place. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1098 LAYER: meta PACKAGE NAME: logrotate PACKAGE VERSION: 3.21.0 CVE: CVE-2011-1154 CVE STATUS: Patched CVE SUMMARY: The shred_file function in logrotate.c in logrotate 3.7.9 and earlier might allow context-dependent attackers to execute arbitrary commands via shell metacharacters in a log filename, as demonstrated by a filename that is automatically constructed on the basis of a hostname or virtual machine name. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1154 LAYER: meta PACKAGE NAME: logrotate PACKAGE VERSION: 3.21.0 CVE: CVE-2011-1155 CVE STATUS: Patched CVE SUMMARY: The writeState function in logrotate.c in logrotate 3.7.9 and earlier might allow context-dependent attackers to cause a denial of service (rotation outage) via a (1) \n (newline) or (2) \ (backslash) character in a log filename, as demonstrated by a filename that is automatically constructed on the basis of a hostname or virtual machine name. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1155 LAYER: meta PACKAGE NAME: logrotate PACKAGE VERSION: 3.21.0 CVE: CVE-2011-1548 CVE STATUS: Ignored CVE DETAIL: not-applicable-platform CVE DESCRIPTION: CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used CVE SUMMARY: The default configuration of logrotate on Debian GNU/Linux uses root privileges to process files in directories that permit non-root write access, which allows local users to conduct symlink and hard link attacks by leveraging logrotate's lack of support for untrusted directories, as demonstrated by /var/log/postgresql/. CVSS v2 BASE SCORE: 6.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1548 LAYER: meta PACKAGE NAME: logrotate PACKAGE VERSION: 3.21.0 CVE: CVE-2011-1549 CVE STATUS: Ignored CVE DETAIL: not-applicable-platform CVE DESCRIPTION: CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used CVE SUMMARY: The default configuration of logrotate on Gentoo Linux uses root privileges to process files in directories that permit non-root write access, which allows local users to conduct symlink and hard link attacks by leveraging logrotate's lack of support for untrusted directories, as demonstrated by directories under /var/log/ for packages. CVSS v2 BASE SCORE: 6.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1549 LAYER: meta PACKAGE NAME: logrotate PACKAGE VERSION: 3.21.0 CVE: CVE-2011-1550 CVE STATUS: Ignored CVE DETAIL: not-applicable-platform CVE DESCRIPTION: CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used CVE SUMMARY: The default configuration of logrotate on SUSE openSUSE Factory uses root privileges to process files in directories that permit non-root write access, which allows local users to conduct symlink and hard link attacks by leveraging logrotate's lack of support for untrusted directories, as demonstrated by directories for the (1) cobbler, (2) inn, (3) safte-monitor, and (4) uucp packages. CVSS v2 BASE SCORE: 6.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1550 LAYER: meta PACKAGE NAME: logrotate PACKAGE VERSION: 3.21.0 CVE: CVE-2022-1348 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in logrotate in how the state file is created. The state file is used to prevent parallel executions of multiple instances of logrotate by acquiring and releasing a file lock. When the state file does not exist, it is created with world-readable permission, allowing an unprivileged user to lock the state file, stopping any rotation. This flaw affects logrotate versions before 3.20.0. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1348 LAYER: meta PACKAGE NAME: python3-zipp PACKAGE VERSION: 3.17.0 CVE: CVE-2024-5569 CVE STATUS: Patched CVE SUMMARY: A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-5569 LAYER: meta PACKAGE NAME: libmicrohttpd PACKAGE VERSION: 1.0.1 CVE: CVE-2013-7038 CVE STATUS: Patched CVE SUMMARY: The MHD_http_unescape function in libmicrohttpd before 0.9.32 might allow remote attackers to obtain sensitive information or cause a denial of service (crash) via unspecified vectors that trigger an out-of-bounds read. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7038 LAYER: meta PACKAGE NAME: libmicrohttpd PACKAGE VERSION: 1.0.1 CVE: CVE-2013-7039 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the MHD_digest_auth_check function in libmicrohttpd before 0.9.32, when MHD_OPTION_CONNECTION_MEMORY_LIMIT is set to a large value, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long URI in an authentication header. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-7039 LAYER: meta PACKAGE NAME: libmicrohttpd PACKAGE VERSION: 1.0.1 CVE: CVE-2021-3466 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libmicrohttpd. A missing bounds check in the post_process_urlencoded function leads to a buffer overflow, allowing a remote attacker to write arbitrary data in an application that uses libmicrohttpd. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Only version 0.9.70 is vulnerable. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3466 LAYER: meta PACKAGE NAME: libmicrohttpd PACKAGE VERSION: 1.0.1 CVE: CVE-2023-27371 CVE STATUS: Patched CVE SUMMARY: GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHD_create_post_processor() method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\0' bytes in a multipart/form-data boundary field, which - assuming a specific heap layout - will result in an out-of-bounds read and a crash in the find_boundary() function. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-27371 LAYER: meta PACKAGE NAME: libmicrohttpd PACKAGE VERSION: 1.0.1 CVE: CVE-2025-59777 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: experimental code not compiled CVE SUMMARY: NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 8.7 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-59777 LAYER: meta PACKAGE NAME: libmicrohttpd PACKAGE VERSION: 1.0.1 CVE: CVE-2025-62689 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: experimental code not compiled CVE SUMMARY: NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 8.7 VECTOR: NETWORK VECTORSTRING: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-62689 LAYER: meta PACKAGE NAME: iptables PACKAGE VERSION: 1.8.10 CVE: CVE-2001-1387 CVE STATUS: Patched CVE SUMMARY: iptables-save in iptables before 1.2.4 records the "--reject-with icmp-host-prohibited" rule as "--reject-with tcp-reset," which causes iptables to generate different responses than specified by the administrator, possibly leading to an information leak. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1387 LAYER: meta PACKAGE NAME: iptables PACKAGE VERSION: 1.8.10 CVE: CVE-2001-1388 CVE STATUS: Patched CVE SUMMARY: iptables before 1.2.4 does not accurately convert rate limits that are specified on the command line, which could allow attackers or users to generate more or less traffic than intended by the administrator. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1388 LAYER: meta PACKAGE NAME: iptables PACKAGE VERSION: 1.8.10 CVE: CVE-2012-2663 CVE STATUS: Patched CVE SUMMARY: extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2663 LAYER: meta PACKAGE NAME: iptables PACKAGE VERSION: 1.8.10 CVE: CVE-2019-11360 CVE STATUS: Patched CVE SUMMARY: A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c. CVSS v2 BASE SCORE: 3.5 CVSS v3 BASE SCORE: 4.2 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-11360 LAYER: meta PACKAGE NAME: vte PACKAGE VERSION: 0.74.2 CVE: CVE-2003-0070 CVE STATUS: Patched CVE SUMMARY: VTE, as used by default in gnome-terminal terminal emulator 2.2 and as an option in gnome-terminal 2.0, allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2003-0070 LAYER: meta PACKAGE NAME: vte PACKAGE VERSION: 0.74.2 CVE: CVE-2010-2713 CVE STATUS: Patched CVE SUMMARY: The vte_sequence_handler_window_manipulation function in vteseq.c in libvte (aka libvte9) in VTE 0.25.1 and earlier, as used in gnome-terminal, does not properly handle escape sequences, which allows remote attackers to execute arbitrary commands or obtain potentially sensitive information via a (1) window title or (2) icon title sequence. NOTE: this issue exists because of a CVE-2003-0070 regression. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2713 LAYER: meta PACKAGE NAME: vte PACKAGE VERSION: 0.74.2 CVE: CVE-2012-2738 CVE STATUS: Patched CVE SUMMARY: The VteTerminal in gnome-terminal (vte) before 0.32.2 allows remote authenticated users to cause a denial of service (long loop and CPU consumption) via an escape sequence with a large repeat count value. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2738 LAYER: meta PACKAGE NAME: vte PACKAGE VERSION: 0.74.2 CVE: CVE-2024-37535 CVE STATUS: Patched CVE SUMMARY: GNOME VTE before 0.76.3 allows an attacker to cause a denial of service (memory consumption) via a window resize escape sequence, a related issue to CVE-2000-0476. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-37535 LAYER: meta PACKAGE NAME: libxfont2 PACKAGE VERSION: 2.0.6 CVE: CVE-2007-1351 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the bdfReadCharacters function in bdfread.c in (1) X.Org libXfont before 20070403 and (2) freetype 2.3.2 and earlier allows remote authenticated users to execute arbitrary code via crafted BDF fonts, which result in a heap overflow. CVSS v2 BASE SCORE: 8.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1351 LAYER: meta PACKAGE NAME: libxfont2 PACKAGE VERSION: 2.0.6 CVE: CVE-2007-1352 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the FontFileInitTable function in X.Org libXfont before 20070403 allows remote authenticated users to execute arbitrary code via a long first line in the fonts.dir file, which results in a heap overflow. CVSS v2 BASE SCORE: 3.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1352 LAYER: meta PACKAGE NAME: libxfont2 PACKAGE VERSION: 2.0.6 CVE: CVE-2007-5199 CVE STATUS: Patched CVE SUMMARY: A single byte overflow in catalogue.c in X.Org libXfont 1.3.1 allows remote attackers to have unspecified impact. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5199 LAYER: meta PACKAGE NAME: libxfont2 PACKAGE VERSION: 2.0.6 CVE: CVE-2011-2895 CVE STATUS: Patched CVE SUMMARY: The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD 4.0.x and 5.0.x before 5.0.3 and 5.1.x before 5.1.1, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2895 LAYER: meta PACKAGE NAME: libxfont2 PACKAGE VERSION: 2.0.6 CVE: CVE-2013-6462 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont 1.1 through 1.4.6 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string in a character name in a BDF font file. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6462 LAYER: meta PACKAGE NAME: libxfont2 PACKAGE VERSION: 2.0.6 CVE: CVE-2014-0209 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the (1) FontFileAddEntry and (2) lexAlias functions in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 might allow local users to gain privileges by adding a directory with a large fonts.dir or fonts.alias file to the font path, which triggers a heap-based buffer overflow, related to metadata. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0209 LAYER: meta PACKAGE NAME: libxfont2 PACKAGE VERSION: 2.0.6 CVE: CVE-2014-0210 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 allow remote font servers to execute arbitrary code via a crafted xfs protocol reply to the (1) _fs_recv_conn_setup, (2) fs_read_open_font, (3) fs_read_query_info, (4) fs_read_extent_info, (5) fs_read_glyphs, (6) fs_read_list, or (7) fs_read_list_info function. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0210 LAYER: meta PACKAGE NAME: libxfont2 PACKAGE VERSION: 2.0.6 CVE: CVE-2014-0211 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the (1) fs_get_reply, (2) fs_alloc_glyphs, and (3) fs_read_extent_info functions in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 allow remote font servers to execute arbitrary code via a crafted xfs reply, which triggers a buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0211 LAYER: meta PACKAGE NAME: libxfont2 PACKAGE VERSION: 2.0.6 CVE: CVE-2015-1802 CVE STATUS: Patched CVE SUMMARY: The bdfReadProperties function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 allows remote authenticated users to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a (1) negative or (2) large property count in a BDF font file. CVSS v2 BASE SCORE: 8.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1802 LAYER: meta PACKAGE NAME: libxfont2 PACKAGE VERSION: 2.0.6 CVE: CVE-2015-1803 CVE STATUS: Patched CVE SUMMARY: The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 does not properly handle character bitmaps it cannot read, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) and possibly execute arbitrary code via a crafted BDF font file. CVSS v2 BASE SCORE: 8.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1803 LAYER: meta PACKAGE NAME: libxfont2 PACKAGE VERSION: 2.0.6 CVE: CVE-2015-1804 CVE STATUS: Patched CVE SUMMARY: The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 does not properly perform type conversion for metrics values, which allows remote authenticated users to cause a denial of service (out-of-bounds memory access) and possibly execute arbitrary code via a crafted BDF font file. CVSS v2 BASE SCORE: 8.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1804 LAYER: meta PACKAGE NAME: libxfont2 PACKAGE VERSION: 2.0.6 CVE: CVE-2017-13720 CVE STATUS: Patched CVE SUMMARY: In the PatternMatch function in fontfile/fontdir.c in libXfont through 1.5.2 and 2.x before 2.0.2, an attacker with access to an X connection can cause a buffer over-read during pattern matching of fonts, leading to information disclosure or a crash (denial of service). This occurs because '\0' characters are incorrectly skipped in situations involving ? characters. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13720 LAYER: meta PACKAGE NAME: libxfont2 PACKAGE VERSION: 2.0.6 CVE: CVE-2017-13722 CVE STATUS: Patched CVE SUMMARY: In the pcfGetProperties function in bitmap/pcfread.c in libXfont through 1.5.2 and 2.x before 2.0.2, a missing boundary check (for PCF files) could be used by local attackers authenticated to an Xserver for a buffer over-read, for information disclosure or a crash of the X server. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 7.1 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13722 LAYER: meta PACKAGE NAME: libxfont2 PACKAGE VERSION: 2.0.6 CVE: CVE-2017-16611 CVE STATUS: Patched CVE SUMMARY: In libXfont before 1.5.4 and libXfont2 before 2.0.3, a local attacker can open (but not read) files on the system as root, triggering tape rewinds, watchdogs, or similar mechanisms that can be triggered by opening files. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16611 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2005-4889 CVE STATUS: Patched CVE SUMMARY: lib/fsm.c in RPM before 4.4.3 does not properly reset the metadata of an executable file during deletion of the file in an RPM package removal, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file, a related issue to CVE-2010-2059. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-4889 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2010-2059 CVE STATUS: Patched CVE SUMMARY: lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and RPM before 4.4.3, does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2059 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2010-2197 CVE STATUS: Patched CVE SUMMARY: rpmbuild in RPM 4.8.0 and earlier does not properly parse the syntax of spec files, which allows user-assisted remote attackers to remove home directories via vectors involving a ;~ (semicolon tilde) sequence in a Name tag. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2197 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2010-2198 CVE STATUS: Patched CVE SUMMARY: lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade or deletion of the file in an RPM package removal, which might allow local users to gain privileges or bypass intended access restrictions by creating a hard link to a vulnerable file that has (1) POSIX file capabilities or (2) SELinux context information, a related issue to CVE-2010-2059. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2198 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2010-2199 CVE STATUS: Patched CVE SUMMARY: lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade or deletion of the file in an RPM package removal, which might allow local users to bypass intended access restrictions by creating a hard link to a vulnerable file that has a POSIX ACL, a related issue to CVE-2010-2059. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-2199 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2011-3378 CVE STATUS: Patched CVE SUMMARY: RPM 4.4.x through 4.9.x, probably before 4.9.1.2, allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via an rpm package with crafted headers and offsets that are not properly handled when a package is queried or installed, related to (1) the regionSwab function, (2) the headerLoad function, and (3) multiple functions in rpmio/rpmpgp.c. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3378 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2012-0060 CVE STATUS: Patched CVE SUMMARY: RPM before 4.9.1.3 does not properly validate region tags, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an invalid region tag in a package header to the (1) headerLoad, (2) rpmReadSignature, or (3) headerVerify function. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0060 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2012-0061 CVE STATUS: Patched CVE SUMMARY: The headerLoad function in lib/header.c in RPM before 4.9.1.3 does not properly validate region tags, which allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large region size in a package header. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0061 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2012-0815 CVE STATUS: Patched CVE SUMMARY: The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative value in a region offset of a package header, which is not properly handled in a numeric range comparison. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-0815 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2012-6088 CVE STATUS: Patched CVE SUMMARY: The rpmpkgRead function in lib/package.c in RPM 4.10.x before 4.10.2 does not return an error code in certain situations involving an "unparseable signature," which allows remote attackers to bypass RPM signature checks via a crafted package. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6088 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2013-6435 CVE STATUS: Patched CVE SUMMARY: Race condition in RPM 4.11.1 and earlier allows remote attackers to execute arbitrary code via a crafted RPM file whose installation extracts the contents to temporary files before validating the signature, as demonstrated by installing a file in the /etc/cron.d directory. CVSS v2 BASE SCORE: 7.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6435 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2014-8118 CVE STATUS: Patched CVE SUMMARY: Integer overflow in RPM 4.12 and earlier allows remote attackers to execute arbitrary code via a crafted CPIO header in the payload section of an RPM file, which triggers a stack-based buffer overflow. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8118 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2017-7500 CVE STATUS: Patched CVE SUMMARY: It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 7.3 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7500 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2017-7501 CVE STATUS: Patched CVE SUMMARY: It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7501 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2021-20266 CVE STATUS: Patched CVE SUMMARY: A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 4.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20266 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2021-20271 CVE STATUS: Patched CVE SUMMARY: A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability. CVSS v2 BASE SCORE: 5.1 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20271 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2021-3421 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3421 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2021-3521 CVE STATUS: Patched CVE SUMMARY: There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3521 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2021-35937 CVE STATUS: Patched CVE SUMMARY: A race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-35937 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2021-35938 CVE STATUS: Patched CVE SUMMARY: A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-35938 LAYER: meta PACKAGE NAME: rpm PACKAGE VERSION: 1_4.19.1.1 CVE: CVE-2021-35939 CVE STATUS: Patched CVE SUMMARY: It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.7 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-35939 LAYER: meta PACKAGE NAME: libxcursor PACKAGE VERSION: 1_1.2.2 CVE: CVE-2013-2003 CVE STATUS: Patched CVE SUMMARY: Integer overflow in X.org libXcursor 1.1.13 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the _XcursorFileHeaderCreate function. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2003 LAYER: meta PACKAGE NAME: libxcursor PACKAGE VERSION: 1_1.2.2 CVE: CVE-2015-9262 CVE STATUS: Patched CVE SUMMARY: _XcursorThemeInherits in library.c in libXcursor before 1.1.15 allows remote attackers to cause denial of service or potentially code execution via a one-byte heap overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9262 LAYER: meta PACKAGE NAME: libxcursor PACKAGE VERSION: 1_1.2.2 CVE: CVE-2017-16612 CVE STATUS: Patched CVE SUMMARY: libXcursor before 1.1.15 has various integer overflows that could lead to heap buffer overflows when processing malicious cursors, e.g., with programs like GIMP. It is also possible that an attack vector exists against the related code in cursor/xcursor.c in Wayland through 1.14.0. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16612 LAYER: meta PACKAGE NAME: e2fsprogs PACKAGE VERSION: 1.47.0 CVE: CVE-2007-5497 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in libext2fs in e2fsprogs before 1.40.3 allow user-assisted remote attackers to execute arbitrary code via a crafted filesystem image. CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5497 LAYER: meta PACKAGE NAME: e2fsprogs PACKAGE VERSION: 1.47.0 CVE: CVE-2015-0247 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in openfs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code via crafted block group descriptor data in a filesystem image. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-0247 LAYER: meta PACKAGE NAME: e2fsprogs PACKAGE VERSION: 1.47.0 CVE: CVE-2015-1572 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in closefs.c in the libext2fs library in e2fsprogs before 1.42.12 allows local users to execute arbitrary code by causing a crafted block group descriptor to be marked as dirty. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0247. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1572 LAYER: meta PACKAGE NAME: e2fsprogs PACKAGE VERSION: 1.47.0 CVE: CVE-2019-5094 CVE STATUS: Patched CVE SUMMARY: An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5094 LAYER: meta PACKAGE NAME: e2fsprogs PACKAGE VERSION: 1.47.0 CVE: CVE-2019-5188 CVE STATUS: Patched CVE SUMMARY: A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5188 LAYER: meta PACKAGE NAME: e2fsprogs PACKAGE VERSION: 1.47.0 CVE: CVE-2022-1304 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1304 LAYER: meta PACKAGE NAME: lame PACKAGE VERSION: 3.100 CVE: CVE-2015-9099 CVE STATUS: Patched CVE SUMMARY: The lame_init_params function in lame.c in libmp3lame.a in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted audio file with a negative sample rate. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9099 LAYER: meta PACKAGE NAME: lame PACKAGE VERSION: 3.100 CVE: CVE-2015-9100 CVE STATUS: Patched CVE SUMMARY: The fill_buffer_resample function in util.c in libmp3lame.a in LAME 3.99.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted audio file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9100 LAYER: meta PACKAGE NAME: lame PACKAGE VERSION: 3.100 CVE: CVE-2015-9101 CVE STATUS: Patched CVE SUMMARY: The fill_buffer_resample function in util.c in libmp3lame.a in LAME 3.98.4, 3.98.2, 3.98, 3.99, 3.99.1, 3.99.2, 3.99.3, 3.99.4 and 3.99.5 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted audio file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-9101 LAYER: meta PACKAGE NAME: lame PACKAGE VERSION: 3.100 CVE: CVE-2017-11720 CVE STATUS: Patched CVE SUMMARY: There is a division-by-zero vulnerability in LAME 3.99.5, caused by a malformed input file. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11720 LAYER: meta PACKAGE NAME: lame PACKAGE VERSION: 3.100 CVE: CVE-2017-13712 CVE STATUS: Patched CVE SUMMARY: NULL Pointer Dereference in the id3v2AddAudioDuration function in libmp3lame/id3tag.c in LAME 3.99.5 allows attackers to perform Denial of Service by triggering a NULL first argument. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13712 LAYER: meta PACKAGE NAME: lame PACKAGE VERSION: 3.100 CVE: CVE-2017-15018 CVE STATUS: Patched CVE SUMMARY: LAME 3.99.5, 3.99.4, 3.99.3, 3.99.2, 3.99.1, 3.99, 3.98.4, 3.98.2 and 3.98 have a heap-based buffer over-read when handling a malformed file in k_34_4 in vbrquantize.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15018 LAYER: meta PACKAGE NAME: lame PACKAGE VERSION: 3.100 CVE: CVE-2017-15019 CVE STATUS: Patched CVE SUMMARY: LAME 3.99.5 has a NULL Pointer Dereference in the hip_decode_init function within libmp3lame/mpglib_interface.c via a malformed mpg file, because of an incorrect calloc call. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15019 LAYER: meta PACKAGE NAME: lame PACKAGE VERSION: 3.100 CVE: CVE-2017-15045 CVE STATUS: Patched CVE SUMMARY: LAME 3.99, 3.99.1, 3.99.2, 3.99.3, 3.99.4, 3.99.5, 3.98.4, 3.98.2 and 3.98 has a heap-based buffer over-read in fill_buffer in libmp3lame/util.c, related to lame_encode_buffer_sample_t in libmp3lame/lame.c, a different vulnerability than CVE-2017-9410. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15045 LAYER: meta PACKAGE NAME: lame PACKAGE VERSION: 3.100 CVE: CVE-2017-15046 CVE STATUS: Patched CVE SUMMARY: LAME 3.99.5, 3.99.4, 3.98.4, 3.98.2, 3.98 and 3.97 have a stack-based buffer overflow in unpack_read_samples in frontend/get_audio.c, a different vulnerability than CVE-2017-9412. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15046 LAYER: meta PACKAGE NAME: lame PACKAGE VERSION: 3.100 CVE: CVE-2017-8419 CVE STATUS: Patched CVE SUMMARY: LAME through 3.99.5 relies on the signed integer data type for values in a WAV or AIFF header, which allows remote attackers to cause a denial of service (stack-based buffer overflow or heap-based buffer overflow) or possibly have unspecified other impact via a crafted file, as demonstrated by mishandling of num_channels. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8419 LAYER: meta PACKAGE NAME: lame PACKAGE VERSION: 3.100 CVE: CVE-2017-9412 CVE STATUS: Patched CVE SUMMARY: The unpack_read_samples function in frontend/get_audio.c in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted wav file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9412 LAYER: meta PACKAGE NAME: lame PACKAGE VERSION: 3.100 CVE: CVE-2017-9869 CVE STATUS: Patched CVE SUMMARY: The II_step_one function in layer2.c in mpglib, as used in libmpgdecoder.a in LAME 3.99.5 and other products, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9869 LAYER: meta PACKAGE NAME: lame PACKAGE VERSION: 3.100 CVE: CVE-2017-9870 CVE STATUS: Patched CVE SUMMARY: The III_i_stereo function in layer3.c in mpglib, as used in libmpgdecoder.a in LAME 3.99.5 and other products, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted audio file that is mishandled in the code for the "block_type == 2" case, a similar issue to CVE-2017-11126. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9870 LAYER: meta PACKAGE NAME: lame PACKAGE VERSION: 3.100 CVE: CVE-2017-9871 CVE STATUS: Patched CVE SUMMARY: The III_i_stereo function in layer3.c in mpglib, as used in libmpgdecoder.a in LAME 3.99.5 and other products, allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9871 LAYER: meta PACKAGE NAME: lame PACKAGE VERSION: 3.100 CVE: CVE-2017-9872 CVE STATUS: Patched CVE SUMMARY: The III_dequantize_sample function in layer3.c in mpglib, as used in libmpgdecoder.a in LAME 3.99.5 and other products, allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted audio file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9872 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2006-5876 CVE STATUS: Patched CVE SUMMARY: The soup_headers_parse function in soup-headers.c for libsoup HTTP library before 2.2.99 allows remote attackers to cause a denial of service (crash) via malformed HTTP headers, probably involving missing fields or values. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-5876 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2009-0585 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the soup_base64_encode function in soup-misc.c in libsoup 2.x.x before 2.2.x, and 2.x before 2.24, allows context-dependent attackers to execute arbitrary code via a long string that is converted to a base64 representation. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0585 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2011-2524 CVE STATUS: Patched CVE SUMMARY: Directory traversal vulnerability in soup-uri.c in SoupServer in libsoup before 2.35.4 allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in a URI. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2524 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2012-2132 CVE STATUS: Patched CVE SUMMARY: libsoup 2.32.2 and earlier does not validate certificates or clear the trust flag when the ssl-ca-file does not exist, which allows remote attackers to bypass authentication by connecting with a SSL connection. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2132 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2017-2885 CVE STATUS: Patched CVE SUMMARY: An exploitable stack based buffer overflow vulnerability exists in the GNOME libsoup 2.58. A specially crafted HTTP request can cause a stack overflow resulting in remote code execution. An attacker can send a special HTTP request to the vulnerable server to trigger this vulnerability. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2885 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2018-11713 CVE STATUS: Patched CVE SUMMARY: WebCore/platform/network/soup/SocketStreamHandleImplSoup.cpp in the libsoup network backend of WebKit, as used in WebKitGTK+ prior to version 2.20.0 or without libsoup 2.62.0, unexpectedly failed to use system proxy settings for WebSocket connections. As a result, users could be deanonymized by crafted web sites via a WebSocket connection. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11713 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2018-12910 CVE STATUS: Patched CVE SUMMARY: The get_cookies function in soup-cookie-jar.c in libsoup 2.63.2 allows attackers to have unspecified impact via an empty hostname. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12910 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2019-17266 CVE STATUS: Patched CVE SUMMARY: libsoup from versions 2.65.1 until 2.68.1 have a heap-based buffer over-read because soup_ntlm_parse_challenge() in soup-auth-ntlm.c does not properly check an NTLM message's length before proceeding with a memcpy. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-17266 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2024-52530 CVE STATUS: Patched CVE SUMMARY: GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the same as a "Transfer-Encoding: chunked" header. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-52530 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2024-52531 CVE STATUS: Patched CVE SUMMARY: GNOME libsoup before 3.6.1 allows a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. There is a plausible way to reach this remotely via soup_message_headers_get_content_type (e.g., an application may want to retrieve the content type of a request or response). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-52531 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2024-52532 CVE STATUS: Patched CVE SUMMARY: GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption. during the reading of certain patterns of WebSocket data from clients. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-52532 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-12105 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP/2 communications. When network operations are aborted at specific timing intervals, an internal message queue item may be freed twice due to missing state synchronization. This leads to a use-after-free memory access, potentially crashing the affected application. Attackers could exploit this behavior remotely by triggering specific HTTP/2 read and cancel sequences, resulting in a denial-of-service condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-12105 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-2784 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup. The package is vulnerable to a heap buffer over-read when sniffing content via the skip_insight_whitespace() function. Libsoup clients may read one byte out-of-bounds in response to a crafted HTTP response by an HTTP server. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-2784 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-32050 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup. The libsoup append_param_quoted() function may contain an overflow bug resulting in a buffer under-read. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32050 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-32051 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup. The libsoup soup_uri_decode_data_uri() function may crash when processing malformed data URI. This flaw allows an attacker to cause a denial of service (DoS). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32051 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-32052 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup. A vulnerability in the sniff_unknown() function may lead to heap buffer over-read. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32052 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-32053 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup. A vulnerability in sniff_feed_or_html() and skip_insignificant_space() functions may lead to a heap buffer over-read. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32053 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-32906 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup, where the soup_headers_parse_request() function may be vulnerable to an out-of-bound read. This flaw allows a malicious user to use a specially crafted HTTP request to crash the HTTP server. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32906 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-32907 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious client to request the same range many times in a single HTTP request, causing the server to use large amounts of memory. This does not allow for a full denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32907 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-32908 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup. The HTTP/2 server in libsoup may not fully validate the values of pseudo-headers :scheme, :authority, and :path, which may allow a user to cause a denial of service (DoS). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32908 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-32909 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup. SoupContentSniffer may be vulnerable to a NULL pointer dereference in the sniff_mp4 function. The HTTP server may cause the libsoup client to crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32909 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-32910 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup, where soup_auth_digest_authenticate() is vulnerable to a NULL pointer dereference. This issue may cause the libsoup client to crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32910 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-32911 CVE STATUS: Patched CVE SUMMARY: A use-after-free type vulnerability was found in libsoup, in the soup_message_headers_get_content_disposition() function. This flaw allows a malicious HTTP client to cause memory corruption in the libsoup server. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32911 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-32912 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup, where SoupAuthDigest is vulnerable to a NULL pointer dereference. The HTTP server may cause the libsoup client to crash. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32912 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-32913 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup, where the soup_message_headers_get_content_disposition() function is vulnerable to a NULL pointer dereference. This flaw allows a malicious HTTP peer to crash a libsoup client or server that uses this function. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32913 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-32914 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup, where the soup_multipart_new_from_message() function is vulnerable to an out-of-bounds read. This flaw allows a malicious HTTP client to induce the libsoup server to read out of bounds. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-32914 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-4476 CVE STATUS: Patched CVE SUMMARY: A denial-of-service vulnerability has been identified in the libsoup HTTP client library. This flaw can be triggered when a libsoup client receives a 401 (Unauthorized) HTTP response containing a specifically crafted domain parameter within the WWW-Authenticate header. Processing this malformed header can lead to a crash of the client application using libsoup. An attacker could exploit this by setting up a malicious HTTP server. If a user's application using the vulnerable libsoup library connects to this malicious server, it could result in a denial-of-service. Successful exploitation requires tricking a user's client application into connecting to the attacker's malicious server. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-4476 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-46420 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup. It is vulnerable to memory leaks in the soup_header_parse_quality_list() function when parsing a quality list that contains elements with all zeroes. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-46420 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-46421 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsoup. When libsoup clients encounter an HTTP redirect, they mistakenly send the HTTP Authorization header to the new host that the redirection points to. This allows the new host to impersonate the user to the original host that issued the redirect. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-46421 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-4945 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the cookie parsing logic of the libsoup HTTP library, used in GNOME applications and other software. The vulnerability arises when processing the expiration date of cookies, where a specially crafted value can trigger an integer overflow. This may result in undefined behavior, allowing an attacker to bypass cookie expiration logic, causing persistent or unintended cookie behavior. The issue stems from improper validation of large integer inputs during date arithmetic operations within the cookie parsing routines. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-4945 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-4948 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the soup_multipart_new_from_message() function of the libsoup HTTP library, which is commonly used by GNOME and other applications to handle web communications. The issue occurs when the library processes specially crafted multipart messages. Due to improper validation, an internal calculation can go wrong, leading to an integer underflow. This can cause the program to access invalid memory and crash. As a result, any application or server using libsoup could be forced to exit unexpectedly, creating a denial-of-service (DoS) risk. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-4948 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2025-4969 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in the libsoup package. This flaw stems from its failure to correctly verify the termination of multipart HTTP messages. This can allow a remote attacker to send a specially crafted multipart HTTP body, causing the libsoup-consuming server to read beyond its allocated memory boundaries (out-of-bounds read). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-4969 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2026-1467 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTP proxy is configured and the library improperly handles URL-decoded input used to create the Host header. A remote attacker can exploit this by providing a specially crafted URL containing CRLF sequences, allowing them to inject additional HTTP headers or complete HTTP request bodies. This can lead to unintended or unauthorized HTTP requests being forwarded by the proxy, potentially impacting downstream services. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-1467 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2026-1536 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary HTTP headers to be injected. This vulnerability can lead to HTTP header injection or HTTP response splitting without requiring authentication or user interaction. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-1536 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2026-1539 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Authorization header if the request is redirected to a different host. As a result, sensitive proxy credentials may be leaked to third-party servers. Applications using libsoup for HTTP communication may unintentionally expose proxy authentication data. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-1539 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2026-1801 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsoup, an HTTP client/server library. This HTTP Request Smuggling vulnerability arises from non-RFC-compliant parsing in the soup_filter_input_stream_read_line() logic, where libsoup accepts malformed chunk headers, such as lone line feed (LF) characters instead of the required carriage return and line feed (CRLF). A remote attacker can exploit this without authentication or user interaction by sending specially crafted chunked requests. This allows libsoup to parse and process multiple HTTP requests from a single network message, potentially leading to information disclosure. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-1801 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2026-2369 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsoup. An integer underflow vulnerability occurs when processing content with a zero-length resource, leading to a buffer overread. This can allow an attacker to potentially access sensitive information or cause an application level denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-2369 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2026-2436 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsoup's SoupServer. A remote attacker could exploit a use-after-free vulnerability where the `soup_server_disconnect()` function frees connection objects prematurely, even if a TLS handshake is still pending. If the handshake completes after the connection object has been freed, a dangling pointer is accessed, leading to a server crash and a Denial of Service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-2436 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2026-2443 CVE STATUS: Unpatched CVE SUMMARY: A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access portions of server memory beyond the intended response. Exploitation requires a vulnerable configuration and access to a server using the embedded SoupServer component. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-2443 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2026-2708 CVE STATUS: Unpatched CVE SUMMARY: A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an attacker to send HTTP requests containing multiple Content-Length headers with differing values. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.7 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-2708 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2026-3099 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in Libsoup. The server-side digest authentication implementation in the SoupAuthDomainDigest class does not properly track issued nonces or enforce the required incrementing nonce-count (nc) attribute. This vulnerability allows a remote attacker to capture a single valid authentication header and replay it repeatedly. Consequently, the attacker can bypass authentication and gain unauthorized access to protected resources, impersonating the legitimate user. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3099 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2026-3632 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsoup, a library used by applications to send network requests. This vulnerability occurs because libsoup does not properly validate hostnames, allowing special characters to be injected into HTTP headers. A remote attacker could exploit this to perform HTTP smuggling, where they can send hidden, malicious requests alongside legitimate ones. In certain situations, this could lead to Server-Side Request Forgery (SSRF), enabling an attacker to force the server to make unauthorized requests to other internal or external systems. The impact is low, as SoupServer is not actually used in internet infrastructure. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3632 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2026-3633 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3633 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2026-3634 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsoup. An attacker controlling the value used to set the Content-Type header can inject a Carriage Return Line Feed (CRLF) sequence due to improper input sanitization in the `soup_message_headers_set_content_type()` function. This vulnerability allows for the injection of arbitrary header-value pairs, potentially leading to HTTP header injection and response splitting attacks. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-3634 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2026-4271 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsoup, a library for handling HTTP requests. This vulnerability, known as a Use-After-Free, occurs in the HTTP/2 server implementation. A remote attacker can exploit this by sending specially crafted HTTP/2 requests that cause authentication failures. This can lead to the application attempting to access memory that has already been freed, potentially causing application instability or crashes, resulting in a Denial of Service (DoS). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-4271 LAYER: meta PACKAGE NAME: libsoup PACKAGE VERSION: 3.4.4 CVE: CVE-2026-5119 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.9 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-5119 LAYER: meta PACKAGE NAME: findutils PACKAGE VERSION: 4.9.0 CVE: CVE-2001-1036 CVE STATUS: Patched CVE SUMMARY: GNU locate in findutils 4.1 on Slackware 7.1 and 8.0 allows local users to gain privileges via an old formatted filename database (locatedb) that contains an entry with an out-of-range offset, which causes locate to write to arbitrary process memory. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2001-1036 LAYER: meta PACKAGE NAME: findutils PACKAGE VERSION: 4.9.0 CVE: CVE-2007-2452 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the visit_old_format function in locate/locate.c in locate in GNU findutils before 4.2.31 might allow context-dependent attackers to execute arbitrary code via a long pathname in a locate database that has the old format, a different vulnerability than CVE-2001-1036. CVSS v2 BASE SCORE: 6.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2452 LAYER: meta PACKAGE NAME: gstreamer1.0-rtsp-server PACKAGE VERSION: 1_1.22.12+git CVE: CVE-2020-6095 CVE STATUS: Patched CVE SUMMARY: An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-6095 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2005-0664 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the EXIF library (libexif) 0.6.9 does not properly validate the structure of the EXIF tags, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a JPEG image with a crafted EXIF tag. CVSS v2 BASE SCORE: 2.6 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:H/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2005-0664 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2006-4168 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the exif_data_load_data_entry function in libexif/exif-data.c in Libexif before 0.6.16 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via an image with many EXIF components, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2006-4168 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2007-2645 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the exif_data_load_data_entry function in exif-data.c in libexif before 0.6.14 allows user-assisted remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted EXIF data, involving the (1) doff or (2) s variable. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-2645 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2007-6351 CVE STATUS: Patched CVE SUMMARY: libexif 0.6.16 and earlier allows context-dependent attackers to cause a denial of service (infinite recursion) via an image file with crafted EXIF tags, possibly involving the exif_loader_write function in exif_loader.c. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6351 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2007-6352 CVE STATUS: Patched CVE SUMMARY: Integer overflow in libexif 0.6.16 and earlier allows context-dependent attackers to execute arbitrary code via an image with crafted EXIF tags, possibly involving the exif_data_load_data_thumbnail function in exif-data.c. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6352 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2009-3895 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the exif_entry_fix function (aka the tag fixup routine) in libexif/exif-entry.c in libexif 0.6.18 allows remote attackers to cause a denial of service or possibly execute arbitrary code via an invalid EXIF image. NOTE: some of these details are obtained from third party information. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3895 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2012-2812 CVE STATUS: Patched CVE SUMMARY: The exif_entry_get_value function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from process memory via crafted EXIF tags in an image. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2812 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2012-2813 CVE STATUS: Patched CVE SUMMARY: The exif_convert_utf16_to_utf8 function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from process memory via crafted EXIF tags in an image. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2813 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2012-2814 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the exif_entry_format_value function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) 0.6.20 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted EXIF tags in an image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2814 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2012-2836 CVE STATUS: Patched CVE SUMMARY: The exif_data_load_data function in exif-data.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from process memory via crafted EXIF tags in an image. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2836 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2012-2837 CVE STATUS: Patched CVE SUMMARY: The mnote_olympus_entry_get_value function in olympus/mnote-olympus-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (divide-by-zero error) via an image with crafted EXIF tags that are not properly handled during the formatting of EXIF maker note tags. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2837 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2012-2840 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the exif_convert_utf16_to_utf8 function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted EXIF tags in an image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2840 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2012-2841 CVE STATUS: Patched CVE SUMMARY: Integer underflow in the exif_entry_get_value function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) 0.6.20 might allow remote attackers to execute arbitrary code via vectors involving a crafted buffer-size parameter during the formatting of an EXIF tag, leading to a heap-based buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2841 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2016-6328 CVE STATUS: Patched CVE SUMMARY: A vulnerability was found in libexif. An integer overflow when parsing the MNOTE entry data of the input file. This can cause Denial-of-Service (DoS) and Information Disclosure (disclosing some critical heap chunk metadata, even other applications' private data). CVSS v2 BASE SCORE: 5.8 CVSS v3 BASE SCORE: 6.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6328 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2017-7544 CVE STATUS: Patched CVE SUMMARY: libexif through 0.6.21 is vulnerable to out-of-bounds heap read vulnerability in exif_data_save_data_entry function in libexif/exif-data.c caused by improper length computation of the allocated data of an ExifMnote entry which can cause denial-of-service or possibly information disclosure. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7544 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2018-20030 CVE STATUS: Patched CVE SUMMARY: An error when processing the EXIF_IFD_INTEROPERABILITY and EXIF_IFD_EXIF tags within libexif version 0.6.21 can be exploited to exhaust available CPU resources. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20030 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2020-0093 CVE STATUS: Patched CVE SUMMARY: In exif_data_save_data_entry of exif-data.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-148705132 CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0093 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2020-0181 CVE STATUS: Patched CVE SUMMARY: In exif_data_load_data_thumbnail of exif-data.c, there is a possible denial of service due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145075076 CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0181 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2020-0198 CVE STATUS: Patched CVE SUMMARY: In exif_data_load_data_content of exif-data.c, there is a possible UBSAN abort due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-146428941 CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-0198 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2020-12767 CVE STATUS: Patched CVE SUMMARY: exif_entry_get_value in exif-entry.c in libexif 0.6.21 has a divide-by-zero error. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12767 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2020-13112 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in libexif before 0.6.22. Several buffer over-reads in EXIF MakerNote handling could lead to information disclosure and crashes. This is different from CVE-2020-0093. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13112 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2020-13113 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in libexif before 0.6.22. Use of uninitialized memory in EXIF Makernote handling could lead to crashes and potential use-after-free conditions. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 8.2 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13113 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2020-13114 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in libexif before 0.6.22. An unrestricted size in handling Canon EXIF MakerNote data could lead to consumption of large amounts of compute time for decoding EXIF data. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13114 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2026-32775 CVE STATUS: Unpatched CVE SUMMARY: libexif through 0.6.25 has a flaw in decoding MakerNotes. If the exif_mnote_data_get_value function gets passed in a 0 size, the passed in-buffer would be overwritten due to an integer underflow. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-32775 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2026-40385 CVE STATUS: Unpatched CVE SUMMARY: In libexif through 0.6.25, an unsigned 32bit integer overflow in Nikon MakerNote handling could be used by local attackers to cause crashes or information leaks. This only affects 32bit systems. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-40385 LAYER: meta PACKAGE NAME: libexif PACKAGE VERSION: 0.6.24 CVE: CVE-2026-40386 CVE STATUS: Unpatched CVE SUMMARY: In libexif through 0.6.25, an integer underflow in size checking for Fuji and Olympus MakerNote decoding could be used by attackers to crash or leak information out of libexif-using programs. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.0 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-40386 LAYER: meta PACKAGE NAME: xdg-utils PACKAGE VERSION: 1.1.3 CVE: CVE-2008-0386 CVE STATUS: Patched CVE SUMMARY: Xdg-utils 1.0.2 and earlier allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a URL argument to (1) xdg-open or (2) xdg-email. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0386 LAYER: meta PACKAGE NAME: xdg-utils PACKAGE VERSION: 1.1.3 CVE: CVE-2009-0068 CVE STATUS: Patched CVE SUMMARY: Interaction error in xdg-open allows remote attackers to execute arbitrary code by sending a file with a dangerous MIME type but using a safe type that Firefox sends to xdg-open, which causes xdg-open to process the dangerous file type through automatic type detection, as demonstrated by overwriting the .desktop file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-0068 LAYER: meta PACKAGE NAME: xdg-utils PACKAGE VERSION: 1.1.3 CVE: CVE-2014-9622 CVE STATUS: Patched CVE SUMMARY: Eval injection vulnerability in xdg-utils 1.1.0 RC1, when no supported desktop environment is identified, allows context-dependent attackers to execute arbitrary code via the URL argument to xdg-open. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9622 LAYER: meta PACKAGE NAME: xdg-utils PACKAGE VERSION: 1.1.3 CVE: CVE-2015-1877 CVE STATUS: Patched CVE SUMMARY: The open_generic_xdg_mime function in xdg-open in xdg-utils 1.1.0 rc1 in Debian, when using dash, does not properly handle local variables, which allows remote attackers to execute arbitrary commands via a crafted file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1877 LAYER: meta PACKAGE NAME: xdg-utils PACKAGE VERSION: 1.1.3 CVE: CVE-2017-18266 CVE STATUS: Patched CVE SUMMARY: The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by %s in this environment variable. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 8.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18266 LAYER: meta PACKAGE NAME: xdg-utils PACKAGE VERSION: 1.1.3 CVE: CVE-2020-27748 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27748 LAYER: meta PACKAGE NAME: xdg-utils PACKAGE VERSION: 1.1.3 CVE: CVE-2022-4055 CVE STATUS: Patched CVE SUMMARY: When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.4 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4055 LAYER: meta-ros-common PACKAGE NAME: libyaml PACKAGE VERSION: 0.2.5 CVE: CVE-2013-6393 CVE STATUS: Patched CVE SUMMARY: The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6393 LAYER: meta-ros-common PACKAGE NAME: libyaml PACKAGE VERSION: 0.2.5 CVE: CVE-2014-2525 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2525 LAYER: meta-ros-common PACKAGE NAME: libyaml PACKAGE VERSION: 0.2.5 CVE: CVE-2014-9130 CVE STATUS: Patched CVE SUMMARY: scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9130 LAYER: meta PACKAGE NAME: libsolv PACKAGE VERSION: 0.7.28 CVE: CVE-2018-20532 CVE STATUS: Patched CVE SUMMARY: There is a NULL pointer dereference at ext/testcase.c (function testcase_read) in libsolvext.a in libsolv through 0.7.2 that will cause a denial of service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20532 LAYER: meta PACKAGE NAME: libsolv PACKAGE VERSION: 0.7.28 CVE: CVE-2018-20533 CVE STATUS: Patched CVE SUMMARY: There is a NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a in libsolv through 0.7.2 that will cause a denial of service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20533 LAYER: meta PACKAGE NAME: libsolv PACKAGE VERSION: 0.7.28 CVE: CVE-2018-20534 CVE STATUS: Patched CVE SUMMARY: There is an illegal address access at ext/testcase.c in libsolv.a in libsolv through 0.7.2 that will cause a denial of service. NOTE: third parties dispute this issue stating that the issue affects the test suite and not the underlying library. It cannot be exploited in any real-world application CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20534 LAYER: meta PACKAGE NAME: libsolv PACKAGE VERSION: 0.7.28 CVE: CVE-2019-20387 CVE STATUS: Patched CVE SUMMARY: repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-based buffer over-read via a last schema whose length is less than the length of the input schema. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20387 LAYER: meta PACKAGE NAME: libsolv PACKAGE VERSION: 0.7.28 CVE: CVE-2021-3200 CVE STATUS: Patched CVE SUMMARY: Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 3.3 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3200 LAYER: meta PACKAGE NAME: libsolv PACKAGE VERSION: 0.7.28 CVE: CVE-2021-33928 CVE STATUS: Patched CVE SUMMARY: Buffer overflow vulnerability in function pool_installable in src/repo.h in libsolv before 0.7.17 allows attackers to cause a Denial of Service. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33928 LAYER: meta PACKAGE NAME: libsolv PACKAGE VERSION: 0.7.28 CVE: CVE-2021-33929 CVE STATUS: Patched CVE SUMMARY: Buffer overflow vulnerability in function pool_disabled_solvable in src/repo.h in libsolv before 0.7.17 allows attackers to cause a Denial of Service. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33929 LAYER: meta PACKAGE NAME: libsolv PACKAGE VERSION: 0.7.28 CVE: CVE-2021-33930 CVE STATUS: Patched CVE SUMMARY: Buffer overflow vulnerability in function pool_installable_whatprovides in src/repo.h in libsolv before 0.7.17 allows attackers to cause a Denial of Service. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33930 LAYER: meta PACKAGE NAME: libsolv PACKAGE VERSION: 0.7.28 CVE: CVE-2021-33938 CVE STATUS: Patched CVE SUMMARY: Buffer overflow vulnerability in function prune_to_recommended in src/policy.c in libsolv before 0.7.17 allows attackers to cause a Denial of Service. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-33938 LAYER: meta PACKAGE NAME: libsolv PACKAGE VERSION: 0.7.28 CVE: CVE-2021-44568 CVE STATUS: Patched CVE SUMMARY: Two heap-overflow vulnerabilities exist in openSUSE/libsolv libsolv through 13 Dec 2020 in the decisionmap variable via the resolve_dependencies function at src/solver.c (line 1940 & line 1995), which could cause a remote Denial of Service. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-44568 LAYER: meta PACKAGE NAME: libsolv PACKAGE VERSION: 0.7.28 CVE: CVE-2026-48864 CVE STATUS: Patched CVE SUMMARY: A flaw was found in libsolv. This heap buffer overflow occurs during the decompression of attacker-controlled compressed data within `.solv` files due to insufficient input validation. An attacker can provide a specially crafted `.solv` file, which, when processed by a vulnerable application, can lead to out-of-bounds memory access. This could result in information disclosure, alteration of program execution, or a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 CVSS v4 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-48864 LAYER: meta PACKAGE NAME: libsolv PACKAGE VERSION: 0.7.28 CVE: CVE-2026-9149 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative size values in the `repo_add_solv` function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS). CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-9149 LAYER: meta PACKAGE NAME: libsolv PACKAGE VERSION: 0.7.28 CVE: CVE-2026-9150 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2026-9150