Skip to content

Security updates#428

Merged
thalassemia merged 1 commit into
masterfrom
security-updates
Jun 24, 2026
Merged

Security updates#428
thalassemia merged 1 commit into
masterfrom
security-updates

Conversation

@github-actions

@github-actions github-actions Bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Security Vulnerability Report

Generated on: 2026-06-24 00:57:41

Summary

Found vulnerabilities in 9 packages requiring updates.

Package Upgrades Overview

Package Current Version Recommended Version Vulnerabilities
aiohttp 3.13.4 3.14.1 11
biopython 1.85 Unknown 1
bleach 6.2.0 6.4.0 2
jupyter-server 2.18.0 2.20.0 1
jupyterlab 4.5.7 4.5.9 1
marimo 0.23.0 0.23.9 1
starlette 1.0.1 1.3.1 4
tornado 6.5.5 6.5.7 4
ujson 5.12.1 5.13.0 1

Detailed Vulnerability Information

aiohttp (v3.13.4)

Vulnerability ID Fix Versions Aliases
CVE-2026-34993 3.14.0 GHSA-jg22-mg44-37j8
CVE-2026-47265 3.14.0 GHSA-hg6j-4rv6-33pg
CVE-2026-54273 3.14.1 GHSA-4fvr-rgm6-gqmc
CVE-2026-54279 3.14.1 GHSA-2fqr-mr3j-6wp8
CVE-2026-54277 3.14.1 GHSA-63hw-fmq6-xxg2
CVE-2026-50269 3.14.0 GHSA-m6qw-4cw2-hm4m
CVE-2026-54276 3.14.1 GHSA-hpj7-wq8m-9hgp
CVE-2026-54278 3.14.1 GHSA-g3cq-j2xw-wf74
CVE-2026-54280 3.14.1 GHSA-9x8q-7h8h-wcw9
CVE-2026-54274 3.14.1 GHSA-xcgm-r5h9-7989
CVE-2026-54275 3.14.1 GHSA-4m7w-qmgq-4wj5

biopython (v1.85)

Vulnerability ID Fix Versions Aliases
CVE-2025-68463 GHSA-x3vf-39hj-gxr4

bleach (v6.2.0)

Vulnerability ID Fix Versions Aliases
GHSA-gj48-438w-jh9v 6.4.0
GHSA-8rfp-98v4-mmr6 6.4.0

jupyter-server (v2.18.0)

Vulnerability ID Fix Versions Aliases
CVE-2026-44727 2.20.0 GHSA-fcw5-x6j4-ccmp

jupyterlab (v4.5.7)

Vulnerability ID Fix Versions Aliases
GHSA-vmhf-c436-hxj4 4.5.9

marimo (v0.23.0)

Vulnerability ID Fix Versions Aliases
CVE-2026-54386 0.23.9 GHSA-8m59-7xv8-735h

starlette (v1.0.1)

Vulnerability ID Fix Versions Aliases
CVE-2026-48818 1.1.0 GHSA-wqp7-x3pw-xc5r
CVE-2026-48817 1.1.0 GHSA-x746-7m8f-x49c
CVE-2026-54283 1.3.1 GHSA-82w8-qh3p-5jfq
CVE-2026-54282 1.3.0 GHSA-jp82-jpqv-5vv3

tornado (v6.5.5)

Vulnerability ID Fix Versions Aliases
CVE-2026-49854 6.5.6 GHSA-cx3h-4qpv-8hc9
CVE-2026-49853 6.5.6 GHSA-3x9g-8vmp-wqvf
CVE-2026-49855 6.5.6 GHSA-mgf9-4vpg-hj56
GHSA-pw6j-qg29-8w7f 6.5.7

ujson (v5.12.1)

Vulnerability ID Fix Versions Aliases
CVE-2026-54911 5.13.0 GHSA-3j69-69wj-xqx2

Recommended Actions

  1. Review the vulnerability details above.
  2. Close and reopen this PR to trigger CI/CD tests.
  3. Approve and merge the PR if everything looks good.

This report was generated automatically. Please verify all upgrades before applying.

@github-actions github-actions Bot force-pushed the security-updates branch 4 times, most recently from db9c2bd to dc57c22 Compare June 19, 2026 01:14
@thalassemia thalassemia reopened this Jun 24, 2026
@thalassemia thalassemia added the long ci PR nearly ready to merge so run longer CI tests label Jun 24, 2026
@github-actions

Copy link
Copy Markdown
Contributor Author

🔍 Vulnerabilities of vecoli:latest

📦 Image Reference vecoli:latest
digestsha256:cbf5e6e10e4faae088f130ab5ce969ec115572186dc85d081f4f2cace89375e5
vulnerabilitiescritical: 1 high: 7 medium: 19 low: 108 unspecified: 13
platformlinux/amd64
size975 MB
packages904
📦 Base Image debian:13-slim
also known as
  • 13.4-slim
  • trixie-20260505-slim
  • trixie-slim
digestsha256:486b1c3d3a6a836d2518d5ac1a7b522050a034ae83b47c063fd45d550b2b9dbf
vulnerabilitiescritical: 1 high: 7 medium: 8 low: 16 unspecified: 2
critical: 1 high: 2 medium: 2 low: 2 perl 5.40.1-6 (deb)

pkg:deb/debian/perl@5.40.1-6?os_distro=trixie&os_name=debian&os_version=13

critical : CVE--2026--12087

Affected range>0
Fixed versionNot Fixed
EPSS Score0.389%
EPSS Percentile31st percentile
Description

Socket versions before 2.041 for Perl have an out-of-bounds heap read. In Socket.xs, pack_ip_mreq_source() checks the length of its source argument before the argument is read, so the check tests the byte length carried over from the preceding multiaddr argument instead. Both addresses occupy a 4-byte field, so a valid multiaddr lets a source of any length pass the check, and the source is then copied into the 4-byte imr_sourceaddr field with a fixed-size copy. A source shorter than 4 bytes is not rejected, and the copy reads up to 3 bytes past the end of its buffer. Calling pack_ip_mreq_source() with a source value shorter than 4 bytes copies adjacent heap memory into the returned packed structure.


high : CVE--2026--48959

Affected range>0
Fixed versionNot Fixed
EPSS Score0.388%
EPSS Percentile31st percentile
Description

IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration. Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap.


high : CVE--2026--48962

Affected range>0
Fixed versionNot Fixed
EPSS Score0.304%
EPSS Percentile22nd percentile
Description

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.


medium : CVE--2026--7010

Affected range>0
Fixed versionNot Fixed
EPSS Score0.227%
EPSS Percentile13th percentile
Description

HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the Host: header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.


medium : CVE--2025--15649

Affected range>0
Fixed versionNot Fixed
EPSS Score0.132%
EPSS Percentile3rd percentile
Description

IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.


low : CVE--2026--48961

Affected range>0
Fixed versionNot Fixed
EPSS Score0.272%
EPSS Percentile19th percentile
Description

IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255. Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.


low : CVE--2011--4116

Affected range>0
Fixed versionNot Fixed
EPSS Score0.520%
EPSS Percentile40th percentile
Description

_is_safe in the File::Temp module for Perl does not properly handle symlinks.


critical: 0 high: 4 medium: 1 low: 11 openssl 3.5.6-1~deb13u1 (deb)

pkg:deb/debian/openssl@3.5.6-1~deb13u1?os_distro=trixie&os_name=debian&os_version=13

high : CVE--2026--45447

Affected range<3.5.6-1~deb13u2
Fixed version3.5.6-1~deb13u2
EPSS Score2.268%
EPSS Percentile81st percentile
Description

Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.


high : CVE--2026--7383

Affected range<3.5.6-1~deb13u2
Fixed version3.5.6-1~deb13u2
EPSS Score0.358%
EPSS Percentile28th percentile
Description

Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.


high : CVE--2026--9076

Affected range<3.5.6-1~deb13u2
Fixed version3.5.6-1~deb13u2
EPSS Score0.297%
EPSS Percentile21st percentile
Description

Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue.


high : CVE--2026--34180

Affected range<3.5.6-1~deb13u2
Fixed version3.5.6-1~deb13u2
EPSS Score0.513%
EPSS Percentile40th percentile
Description

Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.


medium : CVE--2026--42766

Affected range<3.5.6-1~deb13u2
Fixed version3.5.6-1~deb13u2
EPSS Score0.595%
EPSS Percentile44th percentile
Description

Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.


low : CVE--2026--45446

Affected range<3.5.6-1~deb13u2
Fixed version3.5.6-1~deb13u2
EPSS Score0.210%
EPSS Percentile11th percentile
Description

Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, EVP_DecryptFinal_ex() is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls EVP_DecryptFinal_ex() without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.


low : CVE--2026--45445

Affected range<3.5.6-1~deb13u2
Fixed version3.5.6-1~deb13u2
EPSS Score0.320%
EPSS Percentile24th percentile
Description

Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.


low : CVE--2026--42770

Affected range<3.5.6-1~deb13u2
Fixed version3.5.6-1~deb13u2
EPSS Score0.259%
EPSS Percentile17th percentile
Description

Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.


low : CVE--2026--42769

Affected range<3.5.6-1~deb13u2
Fixed version3.5.6-1~deb13u2
EPSS Score0.272%
EPSS Percentile19th percentile
Description

Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Authority (RA) level to the root Certification Authority (root CA) level. Impact Summary: The Registration Autority could replace the root CA certificate for the CMP clients with an arbitrary root CA certificate. One of the parts of the Certificate Management Protocol (CMP), specified in RFC 9810, is Root Certification Authority (root CA) key Rollover, which is sent by the server in a message with type 'id-it-rootCaKeyUpdate'. As part of these messages, 'newWithOld' certificate, the new root CA certificate signed with the old root CA key, is provided, and verifying its signature is crucial for transferring the trust from the old CA key to the new one. The 'id-it-rootCaKeyUpdate' messages are expected to be processed with OSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld' certificate. A typo in the certificate chain building code led to adding an incorrect certificate ('newWithOld' instead of 'oldRoot') to the certificate chain, rendering the certificate verification process ineffectual (only the issuer name and the algorithm OIDs were verified by other parts of the verification code). An attacker who already has credentials that satisfy the CMP message protection checks can generate a new key pair and use a crafted self-signed certificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP clients would accept as a new trust anchor. Significant preconditions for the attack (having valid RA-level credentials) are the reason the issue was assigned Low severity. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.


low : CVE--2026--42768

Affected range<3.5.6-1~deb13u2
Fixed version3.5.6-1~deb13u2
EPSS Score0.364%
EPSS Percentile28th percentile
Description

Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output. Impact summary: The Bleichenbacher-style attack allows an attacker to use the victim's vulnerable application as a way to decrypt or sign messages with the victim's private RSA key. The attack is possible in 2 variants. 1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without providing the recipient certificate. In this case OpenSSL iterates over every KeyTransRecipientInfo (KTRI) without stopping at the first success. An attacker who authors a message with two KTRI entries — the first one wrapping a real CEK under the victim's public key, the second with an arbitrary probe ciphertext — obtains opportunity to iterate the 2nd KTRI to get a valid PKCS#1 v1.5 padding if the error code of the application is available. That is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an adaptive-chosen-ciphertext side channel from which the attacker decrypts any RSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under it. 2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with the recipient certificate, and the recipient is not found, a random key is substituted. An attacker who authors a message and is able to compare both error code and the result of the decryption, can mount a Bleichenbacher oracle. We are not aware of any applications that provide a remote attacker an opportunity to mount an attack described in these scenarios. We consider the existence of such application very unlikely, and for this reason this CVE has been evaluated as Low severity. To avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit rejection was explicitly disabled. The implicit rejection mechanism always returns a plaintext value, the symmetric key. This result is deterministic for the ciphertext and the private key. The length of the decryption result can happen to match the length of the key of the symmetric cipher that was used for the content encryption. When a certificate is not provided, the last RecipientInfo producing a key that looks valid will be used. It may cause getting garbage content on decryption. As a proper way to deal with this a recipient certificate has to be provided to identify the particular RecipientInfo for decryption. The FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as CMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.


low : CVE--2026--42767

Affected range<3.5.6-1~deb13u2
Fixed version3.5.6-1~deb13u2
EPSS Score0.349%
EPSS Percentile27th percentile
Description

Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.


low : CVE--2026--42764

Affected range<3.5.6-1~deb13u2
Fixed version3.5.6-1~deb13u2
EPSS Score0.684%
EPSS Percentile48th percentile
Description

Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial of Service. If the address validation is disabled in the OpenSSL QUIC server implementation, an attacker can crash the server by sending an initial packet with an invalid or expired token. By default, the client address validation is enabled in the OpenSSL QUIC server implementation, which makes the default configuration not vulnerable to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with the SSL_new_listener() call, the address validation is disabled making the vulnerable code reachable. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.


low : CVE--2026--34183

Affected range<3.5.6-1~deb13u2
Fixed version3.5.6-1~deb13u2
EPSS Score0.511%
EPSS Percentile39th percentile
Description

Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames. Impact summary: A malicious remote peer can cause an unbounded memory allocation which can lead to an abnormal termination of the application acting as a QUIC client or server and a Denial of Service. A remote peer may exhaust heap memory by flooding the local QUIC stack with PATH_CHALLENGE frames. The local QUIC stack allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives. The allocated PATH_RESPONSE frame gets freed only when the remote peer acknowledges reception of the PATH_RESPONSE frame which will not be done by a malicious peer. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary.


low : CVE--2026--34182

Affected range<3.5.6-1~deb13u2
Fixed version3.5.6-1~deb13u2
EPSS Score0.227%
EPSS Percentile13th percentile
Description

Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue.


low : CVE--2026--34181

Affected range<3.5.6-1~deb13u2
Fixed version3.5.6-1~deb13u2
EPSS Score0.196%
EPSS Percentile9th percentile
Description

Issue Summary: The PKCS#12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism allowing a certificate and private key forgery. Impact Summary: An attacker impersonating a user can cause a service reading PKCS#12 files to accept forged certificates and private keys with a 1 in 256 probability. If a service accepting PKCS#12 files is using passwords for authenticating the received files, the attacker can create unencrypted PKCS#12 files that use PBMAC1 authentication that specifies an HMAC key of only one byte, allowing them to craft a file that will be accepted with a 1 in 256 probability. That would then cause the service to accept a certificate and private key controlled by the attacker. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.


low : CVE--2010--0928

Affected range>=3.2.1-3
Fixed versionNot Fixed
EPSS Score0.515%
EPSS Percentile40th percentile
Description

OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."


http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf
openssl/openssl#24540
Fault injection based attacks are not within OpenSSLs threat model according
to the security policy: https://www.openssl.org/policies/general/security-policy.html

critical: 0 high: 1 medium: 0 low: 0 quinn-proto 0.11.14 (cargo)

pkg:cargo/quinn-proto@0.11.14

high 7.5: GHSA--4w2j--m93h--cj5j

Affected range<0.11.15
Fixed version0.11.15
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description

The Assembler component that assembles unordered stream fragments into consecutive chunks of the
stream incurs some overhead for non-contiguous fragments. Readers that read from a RecvStream in
order (through an AsyncRead impl for example) will be sensitive to peers that send fragments
while leaving out early parts of the stream, and in particular, fragments with many gaps (because
these cannot be defragmented). In such a scenario, the receiving connection suffers from high
buffer overhead, enabling memory exhaustion.

critical: 0 high: 0 medium: 4 low: 4 systemd 257.9-1~deb13u1 (deb)

pkg:deb/debian/systemd@257.9-1~deb13u1?os_distro=trixie&os_name=debian&os_version=13

medium : CVE--2026--4105

Affected range<257.13-1~deb13u1
Fixed version257.13-1~deb13u1
EPSS Score0.142%
EPSS Percentile4th percentile
Description

A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.


medium : CVE--2026--40226

Affected range<257.13-1~deb13u1
Fixed version257.13-1~deb13u1
EPSS Score0.072%
EPSS Percentile0th percentile
Description

In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.


medium : CVE--2026--40225

Affected range<257.13-1~deb13u1
Fixed version257.13-1~deb13u1
EPSS Score0.144%
EPSS Percentile4th percentile
Description

In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.


medium : CVE--2026--29111

Affected range<257.13-1~deb13u1
Fixed version257.13-1~deb13u1
EPSS Score0.121%
EPSS Percentile2nd percentile
Description

systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.


low : CVE--2023--31439

Affected range>0
Fixed versionNot Fixed
EPSS Score0.352%
EPSS Percentile27th percentile
Description

An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."


low : CVE--2023--31438

Affected range>0
Fixed versionNot Fixed
EPSS Score0.328%
EPSS Percentile24th percentile
Description

An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."


low : CVE--2023--31437

Affected range>0
Fixed versionNot Fixed
EPSS Score0.344%
EPSS Percentile26th percentile
Description

An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."


low : CVE--2013--4392

Affected range>0
Fixed versionNot Fixed
EPSS Score0.472%
EPSS Percentile37th percentile
Description

systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.


critical: 0 high: 0 medium: 3 low: 0 pip 26.0.1 (pypi)

pkg:pypi/pip@26.0.1

medium 5.5: CVE--2026--8643

Affected range<26.1.2
Fixed version26.1.2
CVSS Score5.5
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS Score0.135%
EPSS Percentile3rd percentile
Description

pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.

medium 5.3: CVE--2026--6357 Inclusion of Functionality from Untrusted Control Sphere

Affected range<26.1
Fixed version26.1
CVSS Score5.3
CVSS VectorCVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
EPSS Score0.138%
EPSS Percentile4th percentile
Description

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.

medium 4.6: CVE--2026--3219 Unrestricted Upload of File with Dangerous Type

Affected range<=26.0.1
Fixed version26.1
CVSS Score4.6
CVSS VectorCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
EPSS Score0.144%
EPSS Percentile4th percentile
Description

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

critical: 0 high: 0 medium: 2 low: 4 krb5 1.21.3-5 (deb)

pkg:deb/debian/krb5@1.21.3-5?os_distro=trixie&os_name=debian&os_version=13

medium : CVE--2026--40356

Affected range<1.21.3-5+deb13u1
Fixed version1.21.3-5+deb13u1
EPSS Score0.460%
EPSS Percentile36th percentile
Description

In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.


medium : CVE--2026--40355

Affected range<1.21.3-5+deb13u1
Fixed version1.21.3-5+deb13u1
EPSS Score0.461%
EPSS Percentile36th percentile
Description

In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.


low : CVE--2026--11850

Affected range>0
Fixed versionNot Fixed
EPSS Score0.261%
EPSS Percentile17th percentile
Description

An integer underflow vulnerability was found in MIT krb5 in the berval2tl_data() function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. The function performs an unsigned subtraction (bv_len - 2) without a prior bounds check. When bv_len is 0 or 1, the subtraction wraps to a large value which is then truncated to uint16_t, yielding 0xFFFE (65534) or 0xFFFF (65535). The subsequent malloc succeeds and memcpy reads up to 65534 bytes from a 0-1 byte buffer, resulting in a heap out-of-bounds read. The attack vector involves a malicious or compromised LDAP KDB backend returning a krbExtraData attribute with bv_len < 2, triggering the underflow when the KDC or kadmind reads principal data.


low : CVE--2024--26461

Affected range>0
Fixed versionNot Fixed
EPSS Score1.128%
EPSS Percentile62nd percentile
Description

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.


low : CVE--2024--26458

Affected range>0
Fixed versionNot Fixed
EPSS Score0.815%
EPSS Percentile52nd percentile
Description

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.


low : CVE--2018--5709

Affected range>0
Fixed versionNot Fixed
EPSS Score2.106%
EPSS Percentile79th percentile
Description

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.


critical: 0 high: 0 medium: 1 low: 1 tar 1.35+dfsg-3.1 (deb)

pkg:deb/debian/tar@1.35%2Bdfsg-3.1?os_distro=trixie&os_name=debian&os_version=13

medium : CVE--2025--45582

Affected range>=1.35+dfsg-3.1
Fixed versionNot Fixed
EPSS Score0.433%
EPSS Percentile34th percentile
Description

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages).


Disputed tar issue, works as documented per upstream:
https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md

low : CVE--2005--2541

Affected range>0
Fixed versionNot Fixed
EPSS Score3.992%
EPSS Percentile89th percentile
Description

Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.


This is intended behaviour, after all tar is an archiving tool and you
need to give -p as a command line flag

critical: 0 high: 0 medium: 1 low: 0 biopython 1.85 (pypi)

pkg:pypi/biopython@1.85

medium 4.9: CVE--2025--68463 Improper Restriction of XML External Entity Reference

Affected range<=1.86
Fixed versionNot Fixed
CVSS Score4.9
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:L
EPSS Score0.293%
EPSS Percentile21st percentile
Description

Bio.Entrez in Biopython through 1.86 allows doctype XXE.

critical: 0 high: 0 medium: 1 low: 0 uv 0.11.14 (cargo)

pkg:cargo/uv@0.11.14

medium : GHSA--4gg8--gxpx--9rph Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected range<0.11.15
Fixed version0.11.15
Description

Impact

In versions of uv prior to 0.11.15, when installing a distribution containing an entry point specification (under console_scripts or gui_scripts), uv would place the generated entry point according to the given name even if doing so resulted in a path outside of the environment's scripts directory.

A malicious wheel could use this to place an executable outside of the intended environment, including in a directory already present on the user's PATH. This could shadow or overwrite an existing executable and potentially result in unexpected code execution under the wheel's control, even if the wheel's installation environment was not explicitly added to PATH by the user.

In order to exploit this vulnerability, the attacker must induce their target into installing a malicious wheel.

Patches

uv 0.11.15 and newer address this vulnerability. Users are encouraged to upgrade to 0.11.15.

Workarounds

There is no workaround other than upgrading to uv 0.11.15.

critical: 0 high: 0 medium: 1 low: 0 tar 0.4.45 (cargo)

pkg:cargo/tar@0.4.45

medium : GHSA--3pv8--6f4r--ffg2 Improper Input Validation

Affected range<=0.4.45
Fixed version0.4.46
Description

Summary

When a tar stream contains multiple "header" entries prior to a file entry, tar-rs applies the PAX header (x) to the next entry in the stream, regardless of type. For example, a stream of x -> L -> file (PAX, GNU longname, file) would result in x's extensions being applied to L rather than to file.

Per POSIX pax, this is incorrect: a PAX header always applies to a file entry, not any intermediary entries. See the "pax Header Block" section for the specific prescription there.

As a result of this, an attacker can contrive a tar containing a sequence of tar headers such that tar-rs applies the PAX header's size extension to the next header in sequence, effectively desynchronizing the stream and enabling tar-rs specific skippage/extraction of members. In other words, a file can be contrived to extract differently on tar-rs than on other tar parsers.

PoC

This tar (zipped for size) demonstrates the desynchronization: with tar tvf:

% tar tvf tests/archives/pax-overrides-extension-header.tar 
----------  0 0      0        2048 Dec 31  1969 longname.txt
----------  0 0      0           0 Dec 31  1969 file_b

with tar-rs:

---- pax_size_does_not_apply_to_extension_headers stdout ----

thread 'pax_size_does_not_apply_to_extension_headers' (250476889) panicked at tests/all.rs:2121:27:
called `Result::unwrap()` on an `Err` value: Custom { kind: Other, error: "numeric field was not a number: AAAAAAAA when getting cksum for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

In the above case, the PoC is not weaponized, so it jumps into the middle of an entry and subsequently fails the checksum test rather than silently continuing with attacker-controlled archive state.

Impact

This is very similar to GHSA-j5gw-2vrg-8fgx and GHSA-fp55-jw48-c537 in impact -- an attacker can use this to extract (or not extract) files from a tar stream depending on the tar parser used, which in turn can be used to obscure the presence of malicious files.

critical: 0 high: 0 medium: 1 low: 0 rsa 0.9.10 (cargo)

pkg:cargo/rsa@0.9.10

medium 5.9: CVE--2023--49092

Affected range>=0.0.0-0
Fixed versionNot Fixed
CVSS Score5.9
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score0.605%
EPSS Percentile44th percentile
Description

Impact

Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.

Patches

No patch is yet available, however work is underway to migrate to a fully constant-time implementation.

Workarounds

The only currently available workaround is to avoid using the rsa crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.

References

This vulnerability was discovered as part of the "Marvin Attack", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.

critical: 0 high: 0 medium: 1 low: 0 libcap2 1:2.75-10+b8 (deb)

pkg:deb/debian/libcap2@1%3A2.75-10%2Bb8?os_distro=trixie&os_name=debian&os_version=13

medium : CVE--2026--4878

Affected range<1:2.75-10+deb13u1
Fixed version1:2.75-10+deb13u1
EPSS Score0.188%
EPSS Percentile8th percentile
Description

A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the cap_set_file() function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.


critical: 0 high: 0 medium: 1 low: 0 astral-tokio-tar 0.6.1 (cargo)

pkg:cargo/astral-tokio-tar@0.6.1

medium 6.9: GHSA--3cv2--h65g--fgmm Improper Input Validation

Affected range<=0.6.1
Fixed version0.6.2
CVSS Score6.9
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Description

Impact

Versions of astral-tokio-tar prior to 0.6.2 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle unexpected files onto a victim's filesystem.

Details

When a tar stream contains multiple "header" entries prior to a file entry, astral-tokio-tar applies the PAX header (x) to the next entry in the stream, regardless of type. For example, a stream of x -> L -> file (PAX, GNU longname, file) would result in x's extensions being applied to L rather than to file.

Per POSIX pax, this is incorrect: a PAX header always applies to a file entry, not any intermediary entries. See the "pax Header Block" section for the specific prescription there.

As a result of this, an attacker can contrive a tar containing a sequence of tar headers such that astral-tokio-tar applies the PAX header's size extension to the next header in sequence, effectively desynchronizing the stream and enabling astral-tokio-tar specific skippage/extraction of members. In other words, a file can be contrived to extract differently on astral-tokio-tar than on other tar parsers.

Patches

Versions 0.6.2 and newer of astral-tokio-tar address this differential.

Workarounds

Users are advised to upgrade to version 0.6.1 or newer to address this advisory.

There is no workaround other than upgrading. Users should experience no breaking changes as a result of the upgrade.

Resources

  • GHSA-j5gw-2vrg-8fgx is a similar PAX desynchronization bug
  • GHSA-fp55-jw48-c537 is another similar PAX desynchronization bug
critical: 0 high: 0 medium: 0 low: 54 binutils 2.44-3 (deb)

pkg:deb/debian/binutils@2.44-3?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2026--6846

Affected range>0
Fixed versionNot Fixed
EPSS Score0.159%
EPSS Percentile5th percentile
Description

A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.


low : CVE--2026--6845

Affected range>0
Fixed versionNot Fixed
EPSS Score0.126%
EPSS Percentile3rd percentile
Description

A flaw was found in binutils, specifically within the readelf utility. This vulnerability allows a local attacker to cause a Denial of Service (DoS) by tricking a user into processing a specially crafted Executable and Linkable Format (ELF) file. The exploitation of this flaw can lead to the system becoming unresponsive due to excessive resource consumption or a program crash.


low : CVE--2026--6844

Affected range>0
Fixed versionNot Fixed
EPSS Score0.104%
EPSS Percentile1st percentile
Description

A flaw was found in the readelf utility of the binutils package. A local attacker could exploit two Denial of Service (DoS) vulnerabilities by providing a specially crafted Executable and Linkable Format (ELF) file. One vulnerability, a resource exhaustion (CWE-400), can lead to an out-of-memory condition. The other, a null pointer dereference (CWE-476), can cause a segmentation fault. Both issues can result in the readelf utility becoming unresponsive or crashing, leading to a denial of service.


low : CVE--2026--4647

Affected range>0
Fixed versionNot Fixed
EPSS Score0.162%
EPSS Percentile6th percentile
Description

A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.


low : CVE--2026--3442

Affected range>0
Fixed versionNot Fixed
EPSS Score0.227%
EPSS Percentile13th percentile
Description

A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service.


low : CVE--2026--3441

Affected range>0
Fixed versionNot Fixed
EPSS Score0.168%
EPSS Percentile6th percentile
Description

A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.


low : CVE--2025--8225

Affected range>0
Fixed versionNot Fixed
EPSS Score0.214%
EPSS Percentile12th percentile
Description

A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue.


low : CVE--2025--7546

Affected range>0
Fixed versionNot Fixed
EPSS Score0.172%
EPSS Percentile7th percentile
Description

A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue.


low : CVE--2025--7545

Affected range>0
Fixed versionNot Fixed
EPSS Score0.254%
EPSS Percentile17th percentile
Description

A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.


low : CVE--2025--69652

Affected range>0
Fixed versionNot Fixed
EPSS Score0.173%
EPSS Percentile7th percentile
Description

GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service.


low : CVE--2025--69651

Affected range>0
Fixed versionNot Fixed
EPSS Score0.240%
EPSS Percentile15th percentile
Description

GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.


low : CVE--2025--69650

Affected range>0
Fixed versionNot Fixed
EPSS Score0.502%
EPSS Percentile39th percentile
Description

GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. As a result, process_got_section_contents() may pass an uninitialized r_symbol pointer to free(), leading to a double free and terminating the program with SIGABRT. No evidence of exploitable memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.


low : CVE--2025--69649

Affected range>0
Fixed versionNot Fixed
EPSS Score0.256%
EPSS Percentile17th percentile
Description

GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed.


low : CVE--2025--69648

Affected range>0
Fixed versionNot Fixed
EPSS Score0.176%
EPSS Percentile7th percentile
Description

GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed.


low : CVE--2025--69647

Affected range>0
Fixed versionNot Fixed
EPSS Score0.152%
EPSS Percentile5th percentile
Description

GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.


low : CVE--2025--69646

Affected range>0
Fixed versionNot Fixed
EPSS Score0.155%
EPSS Percentile5th percentile
Description

Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis.


low : CVE--2025--69645

Affected range>0
Fixed versionNot Fixed
EPSS Score0.166%
EPSS Percentile6th percentile
Description

Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file.


low : CVE--2025--69644

Affected range>0
Fixed versionNot Fixed
EPSS Score0.126%
EPSS Percentile3rd percentile
Description

An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.


low : CVE--2025--66866

Affected range>0
Fixed versionNot Fixed
EPSS Score0.279%
EPSS Percentile19th percentile
Description

An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.


  • binutils (unimportant)
    binutils not covered by security support and most certainly bogus since they
    were assigned for a very old binutils release

low : CVE--2025--66865

Affected range>0
Fixed versionNot Fixed
EPSS Score0.323%
EPSS Percentile24th percentile
Description

An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.


  • binutils (unimportant)
    binutils not covered by security support and most certainly bogus since they
    were assigned for a very old binutils release

low : CVE--2025--66864

Affected range>0
Fixed versionNot Fixed
EPSS Score0.204%
EPSS Percentile10th percentile
Description

An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.


  • binutils (unimportant)
    binutils not covered by security support and most certainly bogus since they
    were assigned for a very old binutils release

low : CVE--2025--66863

Affected range>0
Fixed versionNot Fixed
EPSS Score0.323%
EPSS Percentile24th percentile
Description

An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.


  • binutils (unimportant)
    binutils not covered by security support and most certainly bogus since they
    were assigned for a very old binutils release

low : CVE--2025--66862

Affected range>0
Fixed versionNot Fixed
EPSS Score0.318%
EPSS Percentile23rd percentile
Description

A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.


  • binutils (unimportant)
    binutils not covered by security support and most certainly bogus since they
    were assigned for a very old binutils release

low : CVE--2025--66861

Affected range>0
Fixed versionNot Fixed
EPSS Score0.123%
EPSS Percentile2nd percentile
Description

An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.


  • binutils (unimportant)
    binutils not covered by security support and most certainly bogus since they
    were assigned for a very old binutils release

low : CVE--2025--5245

Affected range>0
Fixed versionNot Fixed
EPSS Score0.235%
EPSS Percentile14th percentile
Description

A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.


low : CVE--2025--5244

Affected range>0
Fixed versionNot Fixed
EPSS Score0.235%
EPSS Percentile14th percentile
Description

A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.


low : CVE--2025--3198

Affected range>0
Fixed versionNot Fixed
EPSS Score0.229%
EPSS Percentile13th percentile
Description

A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.


low : CVE--2025--11840

Affected range>0
Fixed versionNot Fixed
EPSS Score0.251%
EPSS Percentile16th percentile
Description

A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue.


low : CVE--2025--11839

Affected range>0
Fixed versionNot Fixed
EPSS Score0.251%
EPSS Percentile16th percentile
Description

A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks.


low : CVE--2025--1182

Affected range>0
Fixed versionNot Fixed
EPSS Score0.542%
EPSS Percentile41st percentile
Description

A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.


low : CVE--2025--1181

Affected range>0
Fixed versionNot Fixed
EPSS Score0.657%
EPSS Percentile47th percentile
Description

A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.


low : CVE--2025--1180

Affected range>0
Fixed versionNot Fixed
EPSS Score0.644%
EPSS Percentile46th percentile
Description

A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.


low : CVE--2025--1178

Affected range>0
Fixed versionNot Fixed
EPSS Score0.735%
EPSS Percentile50th percentile
Description

A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.


low : CVE--2025--1176

Affected range>0
Fixed versionNot Fixed
EPSS Score0.619%
EPSS Percentile45th percentile
Description

A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.


low : CVE--2025--1153

Affected range>0
Fixed versionNot Fixed
EPSS Score1.252%
EPSS Percentile66th percentile
Description

A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.


low : CVE--2025--1152

Affected range>0
Fixed versionNot Fixed
EPSS Score0.564%
EPSS Percentile42nd percentile
Description

A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."


low : CVE--2025--1151

Affected range>0
Fixed versionNot Fixed
EPSS Score0.560%
EPSS Percentile42nd percentile
Description

A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."


low : CVE--2025--1150

Affected range>0
Fixed versionNot Fixed
EPSS Score0.560%
EPSS Percentile42nd percentile
Description

A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. This vulnerability affects the function bfd_malloc of the file libbfd.c of the component ld. The manipulation leads to memory leak. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."


low : CVE--2025--11495

Affected range>0
Fixed versionNot Fixed
EPSS Score0.215%
EPSS Percentile12th percentile
Description

A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.


low : CVE--2025--11494

Affected range>0
Fixed versionNot Fixed
EPSS Score0.194%
EPSS Percentile9th percentile
Description

A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.


low : CVE--2025--1149

Affected range>0
Fixed versionNot Fixed
EPSS Score0.531%
EPSS Percentile41st percentile
Description

A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."


low : CVE--2025--1148

Affected range>0
Fixed versionNot Fixed
EPSS Score0.591%
EPSS Percentile44th percentile
Description

A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."


low : CVE--2025--1147

Affected range>0
Fixed versionNot Fixed
EPSS Score0.619%
EPSS Percentile45th percentile
Description

A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.


low : CVE--2025--11414

Affected range>0
Fixed versionNot Fixed
EPSS Score0.184%
EPSS Percentile8th percentile
Description

A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.


low : CVE--2025--11413

Affected range>0
Fixed versionNot Fixed
EPSS Score0.199%
EPSS Percentile10th percentile
Description

A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.


low : CVE--2025--11412

Affected range>0
Fixed versionNot Fixed
EPSS Score0.184%
EPSS Percentile8th percentile
Description

A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.


low : CVE--2025--11083

Affected range>0
Fixed versionNot Fixed
EPSS Score0.235%
EPSS Percentile14th percentile
Description

A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with "[f]ixed for 2.46".


low : CVE--2025--11082

Affected range>0
Fixed versionNot Fixed
EPSS Score0.234%
EPSS Percentile14th percentile
Description

A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with "[f]ixed for 2.46".


low : CVE--2025--11081

Affected range>0
Fixed versionNot Fixed
EPSS Score0.189%
EPSS Percentile9th percentile
Description

A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue.


low : CVE--2021--32256

Affected range>0
Fixed versionNot Fixed
EPSS Score0.667%
EPSS Percentile47th percentile
Description

An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.36. It is a stack-overflow issue in demangle_type in rust-demangle.c.


low : CVE--2018--9996

Affected range>0
Fixed versionNot Fixed
EPSS Score1.333%
EPSS Percentile67th percentile
Description

An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.


low : CVE--2018--20712

Affected range>0
Fixed versionNot Fixed
EPSS Score2.663%
EPSS Percentile84th percentile
Description

A heap-based buffer over-read exists in the function d_expression_1 in cp-demangle.c in GNU libiberty, as distributed in GNU Binutils 2.31.1. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by c++filt.


low : CVE--2018--20673

Affected range>0
Fixed versionNot Fixed
EPSS Score1.637%
EPSS Percentile73rd percentile
Description

The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for "Create an array for saving the template argument values") that can trigger a heap-based buffer overflow, as demonstrated by nm.


low : CVE--2017--13716

Affected range>0
Fixed versionNot Fixed
EPSS Score1.399%
EPSS Percentile69th percentile
Description

The C++ symbol demangler routine in cplus-dem.c in libiberty, as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted file, as demonstrated by a call from the Binary File Descriptor (BFD) library (aka libbfd).


critical: 0 high: 0 medium: 0 low: 7 glibc 2.41-12+deb13u3 (deb)

pkg:deb/debian/glibc@2.41-12%2Bdeb13u3?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2019--9192

Affected range>0
Fixed versionNot Fixed
EPSS Score2.447%
EPSS Percentile82nd percentile
Description

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern


low : CVE--2019--1010025

Affected range>0
Fixed versionNot Fixed
EPSS Score2.286%
EPSS Percentile81st percentile
Description

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability.


low : CVE--2019--1010024

Affected range>0
Fixed versionNot Fixed
EPSS Score3.220%
EPSS Percentile87th percentile
Description

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.


low : CVE--2019--1010023

Affected range>0
Fixed versionNot Fixed
EPSS Score3.069%
EPSS Percentile86th percentile
Description

GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.


low : CVE--2019--1010022

Affected range>0
Fixed versionNot Fixed
EPSS Score3.249%
EPSS Percentile87th percentile
Description

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.


low : CVE--2018--20796

Affected range>0
Fixed versionNot Fixed
EPSS Score5.804%
EPSS Percentile92nd percentile
Description

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep.


low : CVE--2010--4756

Affected range>0
Fixed versionNot Fixed
EPSS Score2.633%
EPSS Percentile84th percentile
Description

The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.


  • glibc (unimportant)
  • eglibc (unimportant)
    That's standard POSIX behaviour implemented by (e)glibc. Applications using
    glob need to impose limits for themselves
critical: 0 high: 0 medium: 0 low: 5 unspecified: 7curl 8.14.1-2+deb13u3 (deb)

pkg:deb/debian/curl@8.14.1-2%2Bdeb13u3?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2026--8926

Affected range>0
Fixed versionNot Fixed
Description

low : CVE--2025--15224

Affected range>0
Fixed versionNot Fixed
EPSS Score0.413%
EPSS Percentile33rd percentile
Description

When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.


low : CVE--2025--15079

Affected range>0
Fixed versionNot Fixed
EPSS Score0.457%
EPSS Percentile36th percentile
Description

When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global known_hosts file.


low : CVE--2025--14017

Affected range>0
Fixed versionNot Fixed
EPSS Score0.106%
EPSS Percentile1st percentile
Description

When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.


low : CVE--2025--10966

Affected range>0
Fixed versionNot Fixed
EPSS Score0.364%
EPSS Percentile28th percentile
Description

curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more.


unspecified : CVE--2026--8927

Affected range>0
Fixed versionNot Fixed
Description

unspecified : CVE--2026--8924

Affected range>0
Fixed versionNot Fixed
Description

unspecified : CVE--2026--8458

Affected range>0
Fixed versionNot Fixed
Description

unspecified : CVE--2026--8286

Affected range>0
Fixed versionNot Fixed
Description

unspecified : CVE--2026--12064

Affected range>0
Fixed versionNot Fixed
Description

unspecified : CVE--2026--11856

Affected range>0
Fixed versionNot Fixed
Description

unspecified : CVE--2026--10536

Affected range>0
Fixed versionNot Fixed
Description
critical: 0 high: 0 medium: 0 low: 5 openldap 2.6.10+dfsg-1 (deb)

pkg:deb/debian/openldap@2.6.10%2Bdfsg-1?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2026--22185

Affected range>0
Fixed versionNot Fixed
EPSS Score0.127%
EPSS Percentile3rd percentile
Description

OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition.


low : CVE--2020--15719

Affected range>0
Fixed versionNot Fixed
EPSS Score2.417%
EPSS Percentile82nd percentile
Description

libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.


low : CVE--2017--17740

Affected range>0
Fixed versionNot Fixed
EPSS Score7.022%
EPSS Percentile93rd percentile
Description

contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.


low : CVE--2017--14159

Affected range>0
Fixed versionNot Fixed
EPSS Score0.349%
EPSS Percentile27th percentile
Description

slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript.


low : CVE--2015--3276

Affected range>0
Fixed versionNot Fixed
EPSS Score5.333%
EPSS Percentile92nd percentile
Description

The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.


  • openldap (unimportant)
    Debian builds with GNUTLS, not NSS
critical: 0 high: 0 medium: 0 low: 4 unspecified: 2util-linux 2.41-5 (deb)

pkg:deb/debian/util-linux@2.41-5?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2026--53614

Affected range>0
Fixed versionNot Fixed
Description

low : CVE--2026--53612

Affected range>0
Fixed versionNot Fixed
Description

low : CVE--2025--14104

Affected range>0
Fixed versionNot Fixed
EPSS Score0.176%
EPSS Percentile7th percentile
Description

A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the setpwnam() function, affecting SUID (Set User ID) login-utils utilities writing to the password database.


low : CVE--2022--0563

Affected range>0
Fixed versionNot Fixed
EPSS Score0.430%
EPSS Percentile34th percentile
Description

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.


unspecified : CVE--2026--53615

Affected range>0
Fixed versionNot Fixed
Description

unspecified : CVE--2026--53613

Affected range>0
Fixed versionNot Fixed
Description
critical: 0 high: 0 medium: 0 low: 2 coreutils 9.7-3 (deb)

pkg:deb/debian/coreutils@9.7-3?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2025--5278

Affected range>0
Fixed versionNot Fixed
EPSS Score0.209%
EPSS Percentile11th percentile
Description

A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data.


low : CVE--2017--18018

Affected range>0
Fixed versionNot Fixed
EPSS Score0.348%
EPSS Percentile27th percentile
Description

In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.


critical: 0 high: 0 medium: 0 low: 2 sqlite3 3.46.1-7+deb13u1 (deb)

pkg:deb/debian/sqlite3@3.46.1-7%2Bdeb13u1?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2025--70873

Affected range>0
Fixed versionNot Fixed
EPSS Score0.301%
EPSS Percentile22nd percentile
Description

An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file.


low : CVE--2021--45346

Affected range>0
Fixed versionNot Fixed
EPSS Score1.614%
EPSS Percentile73rd percentile
Description

A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.


critical: 0 high: 0 medium: 0 low: 1 bash-completion 1:2.16.0-7 (deb)

pkg:deb/debian/bash-completion@1%3A2.16.0-7?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2018--7738

Affected range>0
Fixed versionNot Fixed
EPSS Score0.457%
EPSS Percentile36th percentile
Description

In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.


critical: 0 high: 0 medium: 0 low: 1 gnutls28 3.8.9-3+deb13u4 (deb)

pkg:deb/debian/gnutls28@3.8.9-3%2Bdeb13u4?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2011--3389

Affected range>0
Fixed versionNot Fixed
EPSS Score73.327%
EPSS Percentile99th percentile
Description

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.


critical: 0 high: 0 medium: 0 low: 1 sed 4.9-2 (deb)

pkg:deb/debian/sed@4.9-2?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2026--5958

Affected range<4.9-2+deb13u1
Fixed version4.9-2+deb13u1
EPSS Score0.142%
EPSS Percentile4th percentile
Description

When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved path for determining when output is written, 2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process. This issue was fixed in version 4.10.


critical: 0 high: 0 medium: 0 low: 1 jansson 2.14-2 (deb)

pkg:deb/debian/jansson@2.14-2?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2020--36325

Affected range>0
Fixed versionNot Fixed
EPSS Score1.718%
EPSS Percentile74th percentile
Description

An issue was discovered in Jansson through 2.13.1. Due to a parsing error in json_loads, there's an out-of-bounds read-access bug. NOTE: the vendor reports that this only occurs when a programmer fails to follow the API specification


Bogus CVE assignment for Jansson (only if programmer fails to follow API specifications)
akheron/jansson#548

critical: 0 high: 0 medium: 0 low: 1 unzip 6.0-29 (deb)

pkg:deb/debian/unzip@6.0-29?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2021--4217

Affected range>0
Fixed versionNot Fixed
EPSS Score0.570%
EPSS Percentile43rd percentile
Description

A flaw was found in unzip. The vulnerability occurs due to improper handling of Unicode strings, which can lead to a null pointer dereference. This flaw allows an attacker to input a specially crafted zip file, leading to a crash or code execution.


critical: 0 high: 0 medium: 0 low: 1 shadow 1:4.17.4-2 (deb)

pkg:deb/debian/shadow@1%3A4.17.4-2?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2007--5686

Affected range>0
Fixed versionNot Fixed
EPSS Score0.942%
EPSS Percentile56th percentile
Description

initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.


  • shadow (unimportant)
    See #290803, on Debian LOG_UNKFAIL_ENAB in login.defs is set to no so
    unknown usernames are not recorded on login failures
critical: 0 high: 0 medium: 0 low: 1 apt 3.0.3 (deb)

pkg:deb/debian/apt@3.0.3?os_distro=trixie&os_name=debian&os_version=13

low : CVE--2011--3374

Affected range>0
Fixed versionNot Fixed
EPSS Score1.191%
EPSS Percentile64th percentile
Description

It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.


critical: 0 high: 0 medium: 0 low: 0 unspecified: 3libssh2 1.11.1-1 (deb)

pkg:deb/debian/libssh2@1.11.1-1?os_distro=trixie&os_name=debian&os_version=13

unspecified : CVE--2026--55200

Affected range>0
Fixed versionNot Fixed
EPSS Score0.545%
EPSS Percentile41st percentile
Description

libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.


unspecified : CVE--2026--55199

Affected range>0
Fixed versionNot Fixed
EPSS Score0.371%
EPSS Percentile29th percentile
Description

libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.


unspecified : CVE--2025--15661

Affected range>0
Fixed versionNot Fixed
EPSS Score0.267%
EPSS Percentile18th percentile
Description

libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.


critical: 0 high: 0 medium: 0 low: 0 unspecified: 1memmap2 0.9.10 (cargo)

pkg:cargo/memmap2@0.9.10

unspecified : RUSTSEC--2026--0186

Affected range<0.9.11
Fixed version0.9.11
Description

Affected versionf of memmap2 did not perform enough validation on the offset and len parameters of
Mmap::[unchecked_]advise_range(),
MmapMut::[unchecked_]advise_ranage()
and MmapMut::flush[_async]_range().

This can cause undefined behavior due to invalid values being passed to pointer::offset() and pointer::add()
when passing an out-of-bounds range to any of the affected functions.

The flaw was corrected in commit [cee7cf0] and released in version 0.9.11.

The invalid pointer is not dereferenced,
but it is passed to the madvise and msync syscalls and their Windows equivalents.

[cee7cf0] RazrFalcon/memmap2-rs@cee7cf0

@github-actions

Copy link
Copy Markdown
Contributor Author

Recommended fixes for image vecoli:latest

Base image is debian:13-slim

Name13.4-slim
Digestsha256:486b1c3d3a6a836d2518d5ac1a7b522050a034ae83b47c063fd45d550b2b9dbf
Vulnerabilitiescritical: 1 high: 7 medium: 8 low: 16 unspecified: 2
Pushed1 month ago
Size30 MB
Packages111
OS13.4
The base image is also available under the supported tag(s): trixie-slim

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.
TagDetailsPushedVulnerabilities
13-slim
Newer image for same tag
Also known as:
  • 13.5-slim
  • trixie-slim
  • trixie-20260623-slim
Benefits:
  • Same OS detected
  • Newer image for same tag
  • Minor OS version update
  • Tag was pushed more recently
  • Image has similar size
  • Image contains equal number of packages
  • Tag is using slim variant
Image details:
  • Size: 30 MB
  • OS: 13.5
1 day ago



Change base image

TagDetailsPushedVulnerabilities
stable-slim
Tag is preferred tag
Also known as:
  • stable-20260623-slim
Benefits:
  • Same OS detected
  • Tag is preferred tag
  • Tag was pushed more recently
  • Image has similar size
  • Image contains equal number of packages
  • Tag is using slim variant
  • stable-slim was pulled 46K times last month
Image details:
  • Size: 30 MB
  • Flavor: debian
  • OS: 12
  • Slim: ✅
1 day ago



13
Tag is latest
Also known as:
  • 13.5
  • trixie
  • latest
  • trixie-20260623
Benefits:
  • Same OS detected
  • Minor OS version update
  • Tag was pushed more recently
  • Tag is latest
  • Image contains equal number of packages
Image details:
  • Size: 49 MB
  • OS: 13.5
1 day ago



@thalassemia thalassemia merged commit 449d3e8 into master Jun 24, 2026
12 of 14 checks passed
@thalassemia thalassemia deleted the security-updates branch June 24, 2026 23:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

long ci PR nearly ready to merge so run longer CI tests

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant