Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0406
Vulnerability from certfr_avis - Published: 2026-04-08 - Updated: 2026-04-08
De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | N/A | azl3 python-ecdsa 0.18.0-2 versions antérieures à 0.19.2-1 | ||
| Microsoft | N/A | azl3 freeipmi 1.6.11-1 versions antérieures à 1.6.17-1 | ||
| Microsoft | N/A | azl3 kernel 6.6.130.1-3 versions antérieures à 6.6.130.1-3 | ||
| Microsoft | N/A | azl3 nodejs 20.14.0-14 versions antérieures à 20.14.0-15 | ||
| Microsoft | N/A | azl3 gdk-pixbuf2 2.42.10-4 versions antérieures à 2.42.10-5 | ||
| Microsoft | N/A | azl3 vim 9.2.0240-1 versions antérieures à 9.2.0315-1 | ||
| Microsoft | N/A | azl3 telegraf 1.31.0-17 versions antérieures à 1.31.0-18 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "azl3 python-ecdsa 0.18.0-2 versions ant\u00e9rieures \u00e0 0.19.2-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 freeipmi 1.6.11-1 versions ant\u00e9rieures \u00e0 1.6.17-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 kernel 6.6.130.1-3 versions ant\u00e9rieures \u00e0 6.6.130.1-3",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 nodejs 20.14.0-14 versions ant\u00e9rieures \u00e0 20.14.0-15",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 gdk-pixbuf2 2.42.10-4 versions ant\u00e9rieures \u00e0 2.42.10-5",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 vim 9.2.0240-1 versions ant\u00e9rieures \u00e0 9.2.0315-1",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 telegraf 1.31.0-17 versions ant\u00e9rieures \u00e0 1.31.0-18",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-34714",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34714"
},
{
"name": "CVE-2026-33936",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33936"
},
{
"name": "CVE-2026-34982",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34982"
},
{
"name": "CVE-2026-33554",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33554"
},
{
"name": "CVE-2026-5201",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-5201"
},
{
"name": "CVE-2026-31394",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31394"
},
{
"name": "CVE-2026-21715",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21715"
},
{
"name": "CVE-2026-21716",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21716"
},
{
"name": "CVE-2026-21714",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21714"
},
{
"name": "CVE-2026-33216",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33216"
},
{
"name": "CVE-2026-21713",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21713"
},
{
"name": "CVE-2026-35177",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35177"
},
{
"name": "CVE-2026-29785",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-29785"
},
{
"name": "CVE-2026-21710",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21710"
}
],
"initial_release_date": "2026-04-08T00:00:00",
"last_revision_date": "2026-04-08T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0406",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-04-08T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Microsoft. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
"vendor_advisories": [
{
"published_at": "2026-04-02",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-33554",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33554"
},
{
"published_at": "2026-04-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-34982",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34982"
},
{
"published_at": "2026-03-29",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-33936",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33936"
},
{
"published_at": "2026-04-01",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-21714",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21714"
},
{
"published_at": "2026-04-01",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-21710",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21710"
},
{
"published_at": "2026-04-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31394",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31394"
},
{
"published_at": "2026-04-02",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-29785",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-29785"
},
{
"published_at": "2026-04-02",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-5201",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-5201"
},
{
"published_at": "2026-04-01",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-21713",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21713"
},
{
"published_at": "2026-04-02",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-33216",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33216"
},
{
"published_at": "2026-04-01",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-21715",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21715"
},
{
"published_at": "2026-04-01",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-21716",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21716"
},
{
"published_at": "2026-04-01",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-34714",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34714"
},
{
"published_at": "2026-04-08",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-35177",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35177"
}
]
}
CVE-2026-21710 (GCVE-0-2026-21710)
Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-03-31 13:55
VLAI
EPSS
Summary
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.
When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.
* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
Severity
7.5 (High)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nodejs | node |
Affected:
20.20.1 , ≤ 20.20.1
(semver)
Affected: 22.22.1 , ≤ 22.22.1 (semver) Affected: 24.14.0 , ≤ 24.14.0 (semver) Affected: 25.8.1 , ≤ 25.8.1 (semver) Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.* (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.* (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.* (semver) Affected: 17.0 , < 17.* (semver) Affected: 18.0 , < 18.* (semver) Affected: 19.0 , < 19.* (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21710",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T13:55:20.665443Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T13:55:23.719Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "node",
"vendor": "nodejs",
"versions": [
{
"lessThanOrEqual": "20.20.1",
"status": "affected",
"version": "20.20.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "22.22.1",
"status": "affected",
"version": "22.22.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.14.0",
"status": "affected",
"version": "24.14.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "25.8.1",
"status": "affected",
"version": "25.8.1",
"versionType": "semver"
},
{
"lessThan": "4.*",
"status": "affected",
"version": "4.0",
"versionType": "semver"
},
{
"lessThan": "5.*",
"status": "affected",
"version": "5.0",
"versionType": "semver"
},
{
"lessThan": "6.*",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "7.*",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThan": "8.*",
"status": "affected",
"version": "8.0",
"versionType": "semver"
},
{
"lessThan": "9.*",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "10.*",
"status": "affected",
"version": "10.0",
"versionType": "semver"
},
{
"lessThan": "11.*",
"status": "affected",
"version": "11.0",
"versionType": "semver"
},
{
"lessThan": "12.*",
"status": "affected",
"version": "12.0",
"versionType": "semver"
},
{
"lessThan": "13.*",
"status": "affected",
"version": "13.0",
"versionType": "semver"
},
{
"lessThan": "14.*",
"status": "affected",
"version": "14.0",
"versionType": "semver"
},
{
"lessThan": "15.*",
"status": "affected",
"version": "15.0",
"versionType": "semver"
},
{
"lessThan": "16.*",
"status": "affected",
"version": "16.0",
"versionType": "semver"
},
{
"lessThan": "17.*",
"status": "affected",
"version": "17.0",
"versionType": "semver"
},
{
"lessThan": "18.*",
"status": "affected",
"version": "18.0",
"versionType": "semver"
},
{
"lessThan": "19.*",
"status": "affected",
"version": "19.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.\r\n\r\nWhen this occurs, `dest[\"__proto__\"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.\r\n\r\n* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**"
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T19:07:28.558Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-21710",
"datePublished": "2026-03-30T19:07:28.558Z",
"dateReserved": "2026-01-04T15:00:06.574Z",
"dateUpdated": "2026-03-31T13:55:23.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21713 (GCVE-0-2026-21713)
Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-05-10 13:17
VLAI
EPSS
Summary
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.
Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.
This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
Severity
5.9 (Medium)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nodejs | node |
Affected:
20.20.1 , ≤ 20.20.1
(semver)
Affected: 22.22.1 , ≤ 22.22.1 (semver) Affected: 24.14.0 , ≤ 24.14.0 (semver) Affected: 25.8.1 , ≤ 25.8.1 (semver) Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.* (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.* (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.* (semver) Affected: 17.0 , < 17.* (semver) Affected: 18.0 , < 18.* (semver) Affected: 19.0 , < 19.* (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21713",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T19:45:13.027379Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T13:17:50.281Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "node",
"vendor": "nodejs",
"versions": [
{
"lessThanOrEqual": "20.20.1",
"status": "affected",
"version": "20.20.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "22.22.1",
"status": "affected",
"version": "22.22.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.14.0",
"status": "affected",
"version": "24.14.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "25.8.1",
"status": "affected",
"version": "25.8.1",
"versionType": "semver"
},
{
"lessThan": "4.*",
"status": "affected",
"version": "4.0",
"versionType": "semver"
},
{
"lessThan": "5.*",
"status": "affected",
"version": "5.0",
"versionType": "semver"
},
{
"lessThan": "6.*",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "7.*",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThan": "8.*",
"status": "affected",
"version": "8.0",
"versionType": "semver"
},
{
"lessThan": "9.*",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "10.*",
"status": "affected",
"version": "10.0",
"versionType": "semver"
},
{
"lessThan": "11.*",
"status": "affected",
"version": "11.0",
"versionType": "semver"
},
{
"lessThan": "12.*",
"status": "affected",
"version": "12.0",
"versionType": "semver"
},
{
"lessThan": "13.*",
"status": "affected",
"version": "13.0",
"versionType": "semver"
},
{
"lessThan": "14.*",
"status": "affected",
"version": "14.0",
"versionType": "semver"
},
{
"lessThan": "15.*",
"status": "affected",
"version": "15.0",
"versionType": "semver"
},
{
"lessThan": "16.*",
"status": "affected",
"version": "16.0",
"versionType": "semver"
},
{
"lessThan": "17.*",
"status": "affected",
"version": "17.0",
"versionType": "semver"
},
{
"lessThan": "18.*",
"status": "affected",
"version": "18.0",
"versionType": "semver"
},
{
"lessThan": "19.*",
"status": "affected",
"version": "19.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.\r\n\r\nNode.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T19:07:28.356Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-21713",
"datePublished": "2026-03-30T19:07:28.356Z",
"dateReserved": "2026-01-04T15:00:06.574Z",
"dateUpdated": "2026-05-10T13:17:50.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21714 (GCVE-0-2026-21714)
Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-03-31 18:05
VLAI
EPSS
Summary
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.
This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.
Severity
5.3 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21714",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T16:14:45.777607Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T18:05:22.283Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "node",
"vendor": "nodejs",
"versions": [
{
"lessThanOrEqual": "20.20.1",
"status": "affected",
"version": "20.20.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "22.22.1",
"status": "affected",
"version": "22.22.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.14.0",
"status": "affected",
"version": "24.14.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "25.8.1",
"status": "affected",
"version": "25.8.1",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2\u00b3\u00b9-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\r\n\r\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T19:07:28.317Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-21714",
"datePublished": "2026-03-30T19:07:28.317Z",
"dateReserved": "2026-01-04T15:00:06.574Z",
"dateUpdated": "2026-03-31T18:05:22.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21715 (GCVE-0-2026-21715)
Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-04-01 15:02
VLAI
EPSS
Summary
A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.
As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.
This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.
Severity
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nodejs | node |
Affected:
20.20.1 , ≤ 20.20.1
(semver)
Affected: 22.22.1 , ≤ 22.22.1 (semver) Affected: 24.14.0 , ≤ 24.14.0 (semver) Affected: 25.8.1 , ≤ 25.8.1 (semver) Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.* (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.* (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.* (semver) Affected: 17.0 , < 17.* (semver) Affected: 18.0 , < 18.* (semver) Affected: 19.0 , < 19.* (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T14:55:13.031405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:02:10.706Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "node",
"vendor": "nodejs",
"versions": [
{
"lessThanOrEqual": "20.20.1",
"status": "affected",
"version": "20.20.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "22.22.1",
"status": "affected",
"version": "22.22.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.14.0",
"status": "affected",
"version": "24.14.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "25.8.1",
"status": "affected",
"version": "25.8.1",
"versionType": "semver"
},
{
"lessThan": "4.*",
"status": "affected",
"version": "4.0",
"versionType": "semver"
},
{
"lessThan": "5.*",
"status": "affected",
"version": "5.0",
"versionType": "semver"
},
{
"lessThan": "6.*",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "7.*",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThan": "8.*",
"status": "affected",
"version": "8.0",
"versionType": "semver"
},
{
"lessThan": "9.*",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "10.*",
"status": "affected",
"version": "10.0",
"versionType": "semver"
},
{
"lessThan": "11.*",
"status": "affected",
"version": "11.0",
"versionType": "semver"
},
{
"lessThan": "12.*",
"status": "affected",
"version": "12.0",
"versionType": "semver"
},
{
"lessThan": "13.*",
"status": "affected",
"version": "13.0",
"versionType": "semver"
},
{
"lessThan": "14.*",
"status": "affected",
"version": "14.0",
"versionType": "semver"
},
{
"lessThan": "15.*",
"status": "affected",
"version": "15.0",
"versionType": "semver"
},
{
"lessThan": "16.*",
"status": "affected",
"version": "16.0",
"versionType": "semver"
},
{
"lessThan": "17.*",
"status": "affected",
"version": "17.0",
"versionType": "semver"
},
{
"lessThan": "18.*",
"status": "affected",
"version": "18.0",
"versionType": "semver"
},
{
"lessThan": "19.*",
"status": "affected",
"version": "19.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T19:07:28.507Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-21715",
"datePublished": "2026-03-30T19:07:28.507Z",
"dateReserved": "2026-01-04T15:00:06.574Z",
"dateUpdated": "2026-04-01T15:02:10.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21716 (GCVE-0-2026-21716)
Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-03-31 14:27
VLAI
EPSS
Summary
An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.
As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.
This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.
Severity
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21716",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T14:27:06.373734Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:27:23.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "node",
"vendor": "nodejs",
"versions": [
{
"lessThanOrEqual": "20.20.1",
"status": "affected",
"version": "20.20.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "22.22.1",
"status": "affected",
"version": "22.22.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.14.0",
"status": "affected",
"version": "24.14.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "25.8.1",
"status": "affected",
"version": "25.8.1",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T19:07:28.538Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-21716",
"datePublished": "2026-03-30T19:07:28.538Z",
"dateReserved": "2026-01-04T15:00:06.575Z",
"dateUpdated": "2026-03-31T14:27:23.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29785 (GCVE-0-2026-29785)
Vulnerability from cvelistv5 – Published: 2026-03-25 19:38 – Updated: 2026-03-28 01:34
VLAI
EPSS
Title
NATS Server panic via malicious compression on leafnode port
Summary
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port.
Severity
7.5 (High)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nats-io/nats-server/security/a… | x_refsource_CONFIRM |
| https://github.com/nats-io/nats-server/commit/a14… | x_refsource_MISC |
| https://advisories.nats.io/CVE/secnote-2026-04.txt | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nats-io | nats-server |
Affected:
< 2.11.14
Affected: >= 2.12.0-RC.1, < 2.12.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29785",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-28T01:33:48.548539Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-28T01:34:06.528Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nats-server",
"vendor": "nats-io",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.14"
},
{
"status": "affected",
"version": "\u003e= 2.12.0-RC.1, \u003c 2.12.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the \"leafnode\" configuration enabled (not default), then anyone who can connect can crash the nats-server by triggering a panic. This happens pre-authentication and requires that compression be enabled (which it is, by default, when leafnodes are used). Versions 2.11.14 and 2.12.5 contain a fix. As a workaround, disable compression on the leafnode port."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T19:40:51.282Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-52jh-2xxh-pwh6"
},
{
"name": "https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nats-io/nats-server/commit/a1488de6f2ba6e666aef0f9cce0016f7f167d6a8"
},
{
"name": "https://advisories.nats.io/CVE/secnote-2026-04.txt",
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.nats.io/CVE/secnote-2026-04.txt"
}
],
"source": {
"advisory": "GHSA-52jh-2xxh-pwh6",
"discovery": "UNKNOWN"
},
"title": "NATS Server panic via malicious compression on leafnode port"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29785",
"datePublished": "2026-03-25T19:38:44.587Z",
"dateReserved": "2026-03-04T16:26:02.899Z",
"dateUpdated": "2026-03-28T01:34:06.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31394 (GCVE-0-2026-31394)
Vulnerability from cvelistv5 – Published: 2026-04-03 15:15 – Updated: 2026-05-11 22:07
VLAI
EPSS
Title
mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations
Summary
In the Linux kernel, the following vulnerability has been resolved:
mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations
ieee80211_chan_bw_change() iterates all stations and accesses
link->reserved.oper via sta->sdata->link[link_id]. For stations on
AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to
the VLAN sdata, whose link never participates in chanctx reservations.
This leaves link->reserved.oper zero-initialized with chan == NULL,
causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw()
when accessing chandef->chan->band during CSA.
Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata()
before accessing link data.
[also change sta->sdata in ARRAY_SIZE even if it doesn't matter]
Severity
No CVSS data available.
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
b27512368591fc959768df1f7dacf2a96b1bd036 , < 65c25b588994dd422fea73fa322de56e1ae4a33b
(git)
Affected: b27512368591fc959768df1f7dacf2a96b1bd036 , < 5a86d4e920d9783a198e39cf53f0e410fba5fbd6 (git) Affected: b27512368591fc959768df1f7dacf2a96b1bd036 , < 3c6629e859a2211a1fbb4868f915413f80001ca5 (git) Affected: b27512368591fc959768df1f7dacf2a96b1bd036 , < 672e5229e1ecfc2a3509b53adcb914d8b024a853 (git) |
|
| Linux | Linux |
Affected:
6.11
Unaffected: 0 , < 6.11 (semver) Unaffected: 6.12.78 , ≤ 6.12.* (semver) Unaffected: 6.18.20 , ≤ 6.18.* (semver) Unaffected: 6.19.10 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/chan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "65c25b588994dd422fea73fa322de56e1ae4a33b",
"status": "affected",
"version": "b27512368591fc959768df1f7dacf2a96b1bd036",
"versionType": "git"
},
{
"lessThan": "5a86d4e920d9783a198e39cf53f0e410fba5fbd6",
"status": "affected",
"version": "b27512368591fc959768df1f7dacf2a96b1bd036",
"versionType": "git"
},
{
"lessThan": "3c6629e859a2211a1fbb4868f915413f80001ca5",
"status": "affected",
"version": "b27512368591fc959768df1f7dacf2a96b1bd036",
"versionType": "git"
},
{
"lessThan": "672e5229e1ecfc2a3509b53adcb914d8b024a853",
"status": "affected",
"version": "b27512368591fc959768df1f7dacf2a96b1bd036",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/chan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.20",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.20",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.10",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations\n\nieee80211_chan_bw_change() iterates all stations and accesses\nlink-\u003ereserved.oper via sta-\u003esdata-\u003elink[link_id]. For stations on\nAP_VLAN interfaces (e.g. 4addr WDS clients), sta-\u003esdata points to\nthe VLAN sdata, whose link never participates in chanctx reservations.\nThis leaves link-\u003ereserved.oper zero-initialized with chan == NULL,\ncausing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw()\nwhen accessing chandef-\u003echan-\u003eband during CSA.\n\nResolve the VLAN sdata to its parent AP sdata using get_bss_sdata()\nbefore accessing link data.\n\n[also change sta-\u003esdata in ARRAY_SIZE even if it doesn\u0027t matter]"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:07:51.015Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/65c25b588994dd422fea73fa322de56e1ae4a33b"
},
{
"url": "https://git.kernel.org/stable/c/5a86d4e920d9783a198e39cf53f0e410fba5fbd6"
},
{
"url": "https://git.kernel.org/stable/c/3c6629e859a2211a1fbb4868f915413f80001ca5"
},
{
"url": "https://git.kernel.org/stable/c/672e5229e1ecfc2a3509b53adcb914d8b024a853"
}
],
"title": "mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31394",
"datePublished": "2026-04-03T15:15:58.806Z",
"dateReserved": "2026-03-09T15:48:24.085Z",
"dateUpdated": "2026-05-11T22:07:51.015Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33216 (GCVE-0-2026-33216)
Vulnerability from cvelistv5 – Published: 2026-03-25 19:41 – Updated: 2026-03-28 01:37
VLAI
EPSS
Title
NATS has MQTT plaintext password disclosure
Summary
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.
Severity
8.6 (High)
CWE
- CWE-256 - Plaintext Storage of a Password
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nats-io/nats-server/security/a… | x_refsource_CONFIRM |
| https://github.com/nats-io/nats-server/commit/b5b… | x_refsource_MISC |
| https://advisories.nats.io/CVE/secnote-2026-05.txt | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nats-io | nats-server |
Affected:
< 2.11.15
Affected: >= 2.12.0-RC.1, < 2.12.6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33216",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-28T01:37:25.310195Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-28T01:37:49.970Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nats-server",
"vendor": "nats-io",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.15"
},
{
"status": "affected",
"version": "\u003e= 2.12.0-RC.1, \u003c 2.12.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, for MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Versions 2.11.14 and 2.12.6 contain a fix. As a workaround, ensure monitoring end-points are adequately secured. Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "CWE-256: Plaintext Storage of a Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T19:47:49.517Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc"
},
{
"name": "https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099"
},
{
"name": "https://advisories.nats.io/CVE/secnote-2026-05.txt",
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.nats.io/CVE/secnote-2026-05.txt"
}
],
"source": {
"advisory": "GHSA-v722-jcv5-w7mc",
"discovery": "UNKNOWN"
},
"title": "NATS has MQTT plaintext password disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33216",
"datePublished": "2026-03-25T19:41:55.670Z",
"dateReserved": "2026-03-17T23:23:58.314Z",
"dateUpdated": "2026-03-28T01:37:49.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33554 (GCVE-0-2026-33554)
Vulnerability from cvelistv5 – Published: 2026-03-24 00:00 – Updated: 2026-03-24 18:50
VLAI
EPSS
Summary
ipmi-oem in FreeIPMI before 1.16.17 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Three subcommands were found to have exploitable buffer overflows on response messages. They are: "ipmi-oem dell get-last-post-code - get the last POST code and string describing the error on some Dell servers," "ipmi-oem supermicro extra-firmware-info - get extra firmware info on Supermicro servers," and "ipmi-oem wistron read-proprietary-string - read a proprietary string on Wistron servers."
Severity
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-33554",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T18:50:27.676350Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T18:50:48.586Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ipmi-oem in FreeIPMI before 1.16.17 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Three subcommands were found to have exploitable buffer overflows on response messages. They are: \"ipmi-oem dell get-last-post-code - get the last POST code and string describing the error on some Dell servers,\" \"ipmi-oem supermicro extra-firmware-info - get extra firmware info on Supermicro servers,\" and \"ipmi-oem wistron read-proprietary-string - read a proprietary string on Wistron servers.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T14:05:40.956Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://savannah.gnu.org/bugs/?68140"
},
{
"url": "https://savannah.gnu.org/bugs/?68141"
},
{
"url": "https://savannah.gnu.org/bugs/?68142"
},
{
"url": "https://ftp.gnu.org/gnu/freeipmi/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-33554",
"datePublished": "2026-03-24T00:00:00.000Z",
"dateReserved": "2026-03-22T00:00:00.000Z",
"dateUpdated": "2026-03-24T18:50:48.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33936 (GCVE-0-2026-33936)
Vulnerability from cvelistv5 – Published: 2026-03-27 22:08 – Updated: 2026-04-01 13:44
VLAI
EPSS
Title
python-ecdsa: Denial of Service via improper DER length validation in crafted private keys
Summary
The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Prior to version 0.19.2, an issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions. `ecdsa.der.remove_octet_string()` accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 4096 bytes but provides only 3 bytes is parsed successfully instead of being rejected. Because of that, a crafted DER input can cause `SigningKey.from_der()` to raise an internal exception (`IndexError: index out of bounds on dimension 1`) rather than cleanly rejecting malformed DER (e.g., raising `UnexpectedDER` or `ValueError`). Applications that parse untrusted DER private keys may crash if they do not handle unexpected exceptions, resulting in a denial of service. Version 0.19.2 patches the issue.
Severity
5.3 (Medium)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/tlsfuzzer/python-ecdsa/securit… | x_refsource_CONFIRM |
| https://github.com/tlsfuzzer/python-ecdsa/commit/… | x_refsource_MISC |
| https://github.com/tlsfuzzer/python-ecdsa/release… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tlsfuzzer | python-ecdsa |
Affected:
< 0.19.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33936",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T13:44:27.418372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T13:44:46.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "python-ecdsa",
"vendor": "tlsfuzzer",
"versions": [
{
"status": "affected",
"version": "\u003c 0.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Prior to version 0.19.2, an issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions. `ecdsa.der.remove_octet_string()` accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 4096 bytes but provides only 3 bytes is parsed successfully instead of being rejected. Because of that, a crafted DER input can cause `SigningKey.from_der()` to raise an internal exception (`IndexError: index out of bounds on dimension 1`) rather than cleanly rejecting malformed DER (e.g., raising `UnexpectedDER` or `ValueError`). Applications that parse untrusted DER private keys may crash if they do not handle unexpected exceptions, resulting in a denial of service. Version 0.19.2 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-130",
"description": "CWE-130: Improper Handling of Length Parameter Inconsistency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T22:08:22.868Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-9f5j-8jwj-x28g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-9f5j-8jwj-x28g"
},
{
"name": "https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3"
},
{
"name": "https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2"
}
],
"source": {
"advisory": "GHSA-9f5j-8jwj-x28g",
"discovery": "UNKNOWN"
},
"title": "python-ecdsa: Denial of Service via improper DER length validation in crafted private keys"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33936",
"datePublished": "2026-03-27T22:08:22.868Z",
"dateReserved": "2026-03-24T19:50:52.103Z",
"dateUpdated": "2026-04-01T13:44:46.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…