Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0463
Vulnerability from certfr_avis - Published: 2026-04-20 - Updated: 2026-04-20
De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | Azure Linux | azl3 pytorch 2.2.2-12 versions antérieures à 2.2.2-14 | ||
| Microsoft | Azure Linux | azl3 sqlite 3.44.0-2 versions antérieures à 3.44.0-3 | ||
| Microsoft | Azure Linux | azl3 mesa 24.0.1-6 versions antérieures à 24.0.1-8 | ||
| Microsoft | Azure Linux | azl3 jq 1.7.1-4 versions antérieures à 1.7.1-5 | ||
| Microsoft | Azure Linux | azl3 kernel 6.6.130.1-3 versions antérieures à 6.6.134.1-1 | ||
| Microsoft | Azure Linux | azl3 cups 2.4.16-1 versions antérieures à 2.4.17-1 |
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "azl3 pytorch 2.2.2-12 versions ant\u00e9rieures \u00e0 2.2.2-14",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 sqlite 3.44.0-2 versions ant\u00e9rieures \u00e0 3.44.0-3",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 mesa 24.0.1-6 versions ant\u00e9rieures \u00e0 24.0.1-8",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 jq 1.7.1-4 versions ant\u00e9rieures \u00e0 1.7.1-5",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 kernel 6.6.130.1-3 versions ant\u00e9rieures \u00e0 6.6.134.1-1",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "azl3 cups 2.4.16-1 versions ant\u00e9rieures \u00e0 2.4.17-1",
"product": {
"name": "Azure Linux",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-40393",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40393"
},
{
"name": "CVE-2026-33947",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33947"
},
{
"name": "CVE-2026-39956",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39956"
},
{
"name": "CVE-2026-34446",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34446"
},
{
"name": "CVE-2026-31416",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31416"
},
{
"name": "CVE-2026-39314",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39314"
},
{
"name": "CVE-2026-31408",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31408"
},
{
"name": "CVE-2026-34978",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34978"
},
{
"name": "CVE-2026-34990",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34990"
},
{
"name": "CVE-2026-31422",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31422"
},
{
"name": "CVE-2026-33948",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33948"
},
{
"name": "CVE-2026-31418",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31418"
},
{
"name": "CVE-2026-31427",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31427"
},
{
"name": "CVE-2026-31423",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31423"
},
{
"name": "CVE-2026-27447",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27447"
},
{
"name": "CVE-2026-39979",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39979"
},
{
"name": "CVE-2026-34979",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34979"
},
{
"name": "CVE-2026-39316",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39316"
},
{
"name": "CVE-2026-40164",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40164"
},
{
"name": "CVE-2026-31421",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31421"
},
{
"name": "CVE-2026-31417",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31417"
},
{
"name": "CVE-2025-70873",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-70873"
},
{
"name": "CVE-2026-31414",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31414"
},
{
"name": "CVE-2026-31426",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31426"
},
{
"name": "CVE-2026-34980",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34980"
},
{
"name": "CVE-2026-32316",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32316"
},
{
"name": "CVE-2026-31428",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31428"
},
{
"name": "CVE-2026-34445",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34445"
},
{
"name": "CVE-2026-31424",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31424"
}
],
"initial_release_date": "2026-04-20T00:00:00",
"last_revision_date": "2026-04-20T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0463",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-04-20T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Microsoft. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
"vendor_advisories": [
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31424",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31424"
},
{
"published_at": "2026-04-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-33947",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33947"
},
{
"published_at": "2026-04-07",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31408",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31408"
},
{
"published_at": "2026-04-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-34979",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34979"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31414",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31414"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31418",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31418"
},
{
"published_at": "2026-04-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-32316",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32316"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31427",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31427"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31421",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31421"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31417",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31417"
},
{
"published_at": "2026-04-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-27447",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27447"
},
{
"published_at": "2026-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-39316",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-39316"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-40393",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40393"
},
{
"published_at": "2026-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-39314",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-39314"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31426",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31426"
},
{
"published_at": "2026-04-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-34990",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34990"
},
{
"published_at": "2026-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-34446",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34446"
},
{
"published_at": "2026-04-18",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2025-70873",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-70873"
},
{
"published_at": "2026-04-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-39956",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-39956"
},
{
"published_at": "2026-04-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-40164",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40164"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31416",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31416"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31423",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31423"
},
{
"published_at": "2026-04-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-34978",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34978"
},
{
"published_at": "2026-04-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-33948",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33948"
},
{
"published_at": "2026-04-05",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-34980",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34980"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31428",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31428"
},
{
"published_at": "2026-04-14",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31422",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31422"
},
{
"published_at": "2026-04-17",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-39979",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-39979"
},
{
"published_at": "2026-04-09",
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-34445",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34445"
}
]
}
CVE-2026-31424 (GCVE-0-2026-31424)
Vulnerability from cvelistv5 – Published: 2026-04-13 13:40 – Updated: 2026-05-11 22:08
VLAI
EPSS
Title
netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP
Weiming Shi says:
xt_match and xt_target structs registered with NFPROTO_UNSPEC can be
loaded by any protocol family through nft_compat. When such a
match/target sets .hooks to restrict which hooks it may run on, the
bitmask uses NF_INET_* constants. This is only correct for families
whose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge
all share the same five hooks (PRE_ROUTING ... POST_ROUTING).
ARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different
semantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks
validation silently passes for the wrong reasons, allowing matches to
run on ARP chains where the hook assumptions (e.g. state->in being
set on input hooks) do not hold. This leads to NULL pointer
dereferences; xt_devgroup is one concrete example:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227]
RIP: 0010:devgroup_mt+0xff/0x350
Call Trace:
<TASK>
nft_match_eval (net/netfilter/nft_compat.c:407)
nft_do_chain (net/netfilter/nf_tables_core.c:285)
nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61)
nf_hook_slow (net/netfilter/core.c:623)
arp_xmit (net/ipv4/arp.c:666)
</TASK>
Kernel panic - not syncing: Fatal exception in interrupt
Fix it by restricting arptables to NFPROTO_ARP extensions only.
Note that arptables-legacy only supports:
- arpt_CLASSIFY
- arpt_mangle
- arpt_MARK
that provide explicit NFPROTO_ARP match/target declarations.
Severity
No CVSS data available.
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/80e3c75f71c3ea1e6… | |
| https://git.kernel.org/stable/c/d9a0af9e43416aa50… | |
| https://git.kernel.org/stable/c/1cd6313c8644bfebb… | |
| https://git.kernel.org/stable/c/f00ac65c90ea47571… | |
| https://git.kernel.org/stable/c/e7e1b6bcb389c8708… | |
| https://git.kernel.org/stable/c/dc3e27dd7d76e2110… | |
| https://git.kernel.org/stable/c/3e79374b03bf9a2f2… | |
| https://git.kernel.org/stable/c/3d5d488f11776738d… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
9291747f118d6404e509747b85ff5f6dfec368d2 , < 80e3c75f71c3ea1e62fcb032382de13e00a68f8b
(git)
Affected: 9291747f118d6404e509747b85ff5f6dfec368d2 , < d9a0af9e43416aa50c0595e15fa01365a1c72c49 (git) Affected: 9291747f118d6404e509747b85ff5f6dfec368d2 , < 1cd6313c8644bfebbd813a05da9daa21b09dd68c (git) Affected: 9291747f118d6404e509747b85ff5f6dfec368d2 , < f00ac65c90ea475719e08d629e2e26c8b4e6999b (git) Affected: 9291747f118d6404e509747b85ff5f6dfec368d2 , < e7e1b6bcb389c8708003d40613a59ff2496f6b1f (git) Affected: 9291747f118d6404e509747b85ff5f6dfec368d2 , < dc3e27dd7d76e21106b8f9bbdc31f5da74a89014 (git) Affected: 9291747f118d6404e509747b85ff5f6dfec368d2 , < 3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a (git) Affected: 9291747f118d6404e509747b85ff5f6dfec368d2 , < 3d5d488f11776738deab9da336038add95d342d1 (git) |
|
| Linux | Linux |
Affected:
2.6.39
Unaffected: 0 , < 2.6.39 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.134 , ≤ 6.6.* (semver) Unaffected: 6.12.81 , ≤ 6.12.* (semver) Unaffected: 6.18.22 , ≤ 6.18.* (semver) Unaffected: 6.19.12 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/x_tables.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "80e3c75f71c3ea1e62fcb032382de13e00a68f8b",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "d9a0af9e43416aa50c0595e15fa01365a1c72c49",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "1cd6313c8644bfebbd813a05da9daa21b09dd68c",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "f00ac65c90ea475719e08d629e2e26c8b4e6999b",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "e7e1b6bcb389c8708003d40613a59ff2496f6b1f",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "dc3e27dd7d76e21106b8f9bbdc31f5da74a89014",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
},
{
"lessThan": "3d5d488f11776738deab9da336038add95d342d1",
"status": "affected",
"version": "9291747f118d6404e509747b85ff5f6dfec368d2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/x_tables.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.39"
},
{
"lessThan": "2.6.39",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "2.6.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP\n\nWeiming Shi says:\n\nxt_match and xt_target structs registered with NFPROTO_UNSPEC can be\nloaded by any protocol family through nft_compat. When such a\nmatch/target sets .hooks to restrict which hooks it may run on, the\nbitmask uses NF_INET_* constants. This is only correct for families\nwhose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge\nall share the same five hooks (PRE_ROUTING ... POST_ROUTING).\n\nARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different\nsemantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks\nvalidation silently passes for the wrong reasons, allowing matches to\nrun on ARP chains where the hook assumptions (e.g. state-\u003ein being\nset on input hooks) do not hold. This leads to NULL pointer\ndereferences; xt_devgroup is one concrete example:\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227]\n RIP: 0010:devgroup_mt+0xff/0x350\n Call Trace:\n \u003cTASK\u003e\n nft_match_eval (net/netfilter/nft_compat.c:407)\n nft_do_chain (net/netfilter/nf_tables_core.c:285)\n nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61)\n nf_hook_slow (net/netfilter/core.c:623)\n arp_xmit (net/ipv4/arp.c:666)\n \u003c/TASK\u003e\n Kernel panic - not syncing: Fatal exception in interrupt\n\nFix it by restricting arptables to NFPROTO_ARP extensions only.\nNote that arptables-legacy only supports:\n\n- arpt_CLASSIFY\n- arpt_mangle\n- arpt_MARK\n\nthat provide explicit NFPROTO_ARP match/target declarations."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:26.363Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/80e3c75f71c3ea1e62fcb032382de13e00a68f8b"
},
{
"url": "https://git.kernel.org/stable/c/d9a0af9e43416aa50c0595e15fa01365a1c72c49"
},
{
"url": "https://git.kernel.org/stable/c/1cd6313c8644bfebbd813a05da9daa21b09dd68c"
},
{
"url": "https://git.kernel.org/stable/c/f00ac65c90ea475719e08d629e2e26c8b4e6999b"
},
{
"url": "https://git.kernel.org/stable/c/e7e1b6bcb389c8708003d40613a59ff2496f6b1f"
},
{
"url": "https://git.kernel.org/stable/c/dc3e27dd7d76e21106b8f9bbdc31f5da74a89014"
},
{
"url": "https://git.kernel.org/stable/c/3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a"
},
{
"url": "https://git.kernel.org/stable/c/3d5d488f11776738deab9da336038add95d342d1"
}
],
"title": "netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31424",
"datePublished": "2026-04-13T13:40:27.957Z",
"dateReserved": "2026-03-09T15:48:24.088Z",
"dateUpdated": "2026-05-11T22:08:26.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31426 (GCVE-0-2026-31426)
Vulnerability from cvelistv5 – Published: 2026-04-13 13:40 – Updated: 2026-05-11 22:08
VLAI
EPSS
Title
ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()
When ec_install_handlers() returns -EPROBE_DEFER on reduced-hardware
platforms, it has already started the EC and installed the address
space handler with the struct acpi_ec pointer as handler context.
However, acpi_ec_setup() propagates the error without any cleanup.
The caller acpi_ec_add() then frees the struct acpi_ec for non-boot
instances, leaving a dangling handler context in ACPICA.
Any subsequent AML evaluation that accesses an EC OpRegion field
dispatches into acpi_ec_space_handler() with the freed pointer,
causing a use-after-free:
BUG: KASAN: slab-use-after-free in mutex_lock (kernel/locking/mutex.c:289)
Write of size 8 at addr ffff88800721de38 by task init/1
Call Trace:
<TASK>
mutex_lock (kernel/locking/mutex.c:289)
acpi_ec_space_handler (drivers/acpi/ec.c:1362)
acpi_ev_address_space_dispatch (drivers/acpi/acpica/evregion.c:293)
acpi_ex_access_region (drivers/acpi/acpica/exfldio.c:246)
acpi_ex_field_datum_io (drivers/acpi/acpica/exfldio.c:509)
acpi_ex_extract_from_field (drivers/acpi/acpica/exfldio.c:700)
acpi_ex_read_data_from_field (drivers/acpi/acpica/exfield.c:327)
acpi_ex_resolve_node_to_value (drivers/acpi/acpica/exresolv.c:392)
</TASK>
Allocated by task 1:
acpi_ec_alloc (drivers/acpi/ec.c:1424)
acpi_ec_add (drivers/acpi/ec.c:1692)
Freed by task 1:
kfree (mm/slub.c:6876)
acpi_ec_add (drivers/acpi/ec.c:1751)
The bug triggers on reduced-hardware EC platforms (ec->gpe < 0)
when the GPIO IRQ provider defers probing. Once the stale handler
exists, any unprivileged sysfs read that causes AML to touch an
EC OpRegion (battery, thermal, backlight) exercises the dangling
pointer.
Fix this by calling ec_remove_handlers() in the error path of
acpi_ec_setup() before clearing first_ec. ec_remove_handlers()
checks each EC_FLAGS_* bit before acting, so it is safe to call
regardless of how far ec_install_handlers() progressed:
-ENODEV (handler not installed): only calls acpi_ec_stop()
-EPROBE_DEFER (handler installed): removes handler, stops EC
Severity
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/022d1727f33ff90b3… | |
| https://git.kernel.org/stable/c/9c886e63b69658959… | |
| https://git.kernel.org/stable/c/808c0f156f48d5b8c… | |
| https://git.kernel.org/stable/c/d04c007047c881581… | |
| https://git.kernel.org/stable/c/be1a827e15991e874… | |
| https://git.kernel.org/stable/c/f6484cadbcaf26b58… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
03e9a0e05739cf872fee494b06c75c0469704a21 , < 022d1727f33ff90b3e1775125264e3023901952e
(git)
Affected: 03e9a0e05739cf872fee494b06c75c0469704a21 , < 9c886e63b69658959633937e3acb7ca8addf7499 (git) Affected: 03e9a0e05739cf872fee494b06c75c0469704a21 , < 808c0f156f48d5b8ca34088cbbfba8444e606cbc (git) Affected: 03e9a0e05739cf872fee494b06c75c0469704a21 , < d04c007047c88158141d9bd5eac761cdadd3782c (git) Affected: 03e9a0e05739cf872fee494b06c75c0469704a21 , < be1a827e15991e874e0d5222d0ea5fdad01960fe (git) Affected: 03e9a0e05739cf872fee494b06c75c0469704a21 , < f6484cadbcaf26b5844b51bd7307a663dda48ef6 (git) |
|
| Linux | Linux |
Affected:
5.7
Unaffected: 0 , < 5.7 (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.131 , ≤ 6.6.* (semver) Unaffected: 6.12.80 , ≤ 6.12.* (semver) Unaffected: 6.18.21 , ≤ 6.18.* (semver) Unaffected: 6.19.11 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/acpi/ec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "022d1727f33ff90b3e1775125264e3023901952e",
"status": "affected",
"version": "03e9a0e05739cf872fee494b06c75c0469704a21",
"versionType": "git"
},
{
"lessThan": "9c886e63b69658959633937e3acb7ca8addf7499",
"status": "affected",
"version": "03e9a0e05739cf872fee494b06c75c0469704a21",
"versionType": "git"
},
{
"lessThan": "808c0f156f48d5b8ca34088cbbfba8444e606cbc",
"status": "affected",
"version": "03e9a0e05739cf872fee494b06c75c0469704a21",
"versionType": "git"
},
{
"lessThan": "d04c007047c88158141d9bd5eac761cdadd3782c",
"status": "affected",
"version": "03e9a0e05739cf872fee494b06c75c0469704a21",
"versionType": "git"
},
{
"lessThan": "be1a827e15991e874e0d5222d0ea5fdad01960fe",
"status": "affected",
"version": "03e9a0e05739cf872fee494b06c75c0469704a21",
"versionType": "git"
},
{
"lessThan": "f6484cadbcaf26b5844b51bd7307a663dda48ef6",
"status": "affected",
"version": "03e9a0e05739cf872fee494b06c75c0469704a21",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/acpi/ec.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: EC: clean up handlers on probe failure in acpi_ec_setup()\n\nWhen ec_install_handlers() returns -EPROBE_DEFER on reduced-hardware\nplatforms, it has already started the EC and installed the address\nspace handler with the struct acpi_ec pointer as handler context.\nHowever, acpi_ec_setup() propagates the error without any cleanup.\n\nThe caller acpi_ec_add() then frees the struct acpi_ec for non-boot\ninstances, leaving a dangling handler context in ACPICA.\n\nAny subsequent AML evaluation that accesses an EC OpRegion field\ndispatches into acpi_ec_space_handler() with the freed pointer,\ncausing a use-after-free:\n\n BUG: KASAN: slab-use-after-free in mutex_lock (kernel/locking/mutex.c:289)\n Write of size 8 at addr ffff88800721de38 by task init/1\n Call Trace:\n \u003cTASK\u003e\n mutex_lock (kernel/locking/mutex.c:289)\n acpi_ec_space_handler (drivers/acpi/ec.c:1362)\n acpi_ev_address_space_dispatch (drivers/acpi/acpica/evregion.c:293)\n acpi_ex_access_region (drivers/acpi/acpica/exfldio.c:246)\n acpi_ex_field_datum_io (drivers/acpi/acpica/exfldio.c:509)\n acpi_ex_extract_from_field (drivers/acpi/acpica/exfldio.c:700)\n acpi_ex_read_data_from_field (drivers/acpi/acpica/exfield.c:327)\n acpi_ex_resolve_node_to_value (drivers/acpi/acpica/exresolv.c:392)\n \u003c/TASK\u003e\n\n Allocated by task 1:\n acpi_ec_alloc (drivers/acpi/ec.c:1424)\n acpi_ec_add (drivers/acpi/ec.c:1692)\n\n Freed by task 1:\n kfree (mm/slub.c:6876)\n acpi_ec_add (drivers/acpi/ec.c:1751)\n\nThe bug triggers on reduced-hardware EC platforms (ec-\u003egpe \u003c 0)\nwhen the GPIO IRQ provider defers probing. Once the stale handler\nexists, any unprivileged sysfs read that causes AML to touch an\nEC OpRegion (battery, thermal, backlight) exercises the dangling\npointer.\n\nFix this by calling ec_remove_handlers() in the error path of\nacpi_ec_setup() before clearing first_ec. ec_remove_handlers()\nchecks each EC_FLAGS_* bit before acting, so it is safe to call\nregardless of how far ec_install_handlers() progressed:\n\n -ENODEV (handler not installed): only calls acpi_ec_stop()\n -EPROBE_DEFER (handler installed): removes handler, stops EC"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:28.727Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/022d1727f33ff90b3e1775125264e3023901952e"
},
{
"url": "https://git.kernel.org/stable/c/9c886e63b69658959633937e3acb7ca8addf7499"
},
{
"url": "https://git.kernel.org/stable/c/808c0f156f48d5b8ca34088cbbfba8444e606cbc"
},
{
"url": "https://git.kernel.org/stable/c/d04c007047c88158141d9bd5eac761cdadd3782c"
},
{
"url": "https://git.kernel.org/stable/c/be1a827e15991e874e0d5222d0ea5fdad01960fe"
},
{
"url": "https://git.kernel.org/stable/c/f6484cadbcaf26b5844b51bd7307a663dda48ef6"
}
],
"title": "ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31426",
"datePublished": "2026-04-13T13:40:29.635Z",
"dateReserved": "2026-03-09T15:48:24.088Z",
"dateUpdated": "2026-05-11T22:08:28.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31427 (GCVE-0-2026-31427)
Vulnerability from cvelistv5 – Published: 2026-04-13 13:40 – Updated: 2026-05-11 22:08
VLAI
EPSS
Title
netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
process_sdp() declares union nf_inet_addr rtp_addr on the stack and
passes it to the nf_nat_sip sdp_session hook after walking the SDP
media descriptions. However rtp_addr is only initialized inside the
media loop when a recognized media type with a non-zero port is found.
If the SDP body contains no m= lines, only inactive media sections
(m=audio 0 ...) or only unrecognized media types, rtp_addr is never
assigned. Despite that, the function still calls hooks->sdp_session()
with &rtp_addr, causing nf_nat_sdp_session() to format the stale stack
value as an IP address and rewrite the SDP session owner and connection
lines with it.
With CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this
results in the session-level o= and c= addresses being rewritten to
0.0.0.0 for inactive SDP sessions. Without stack auto-init the
rewritten address is whatever happened to be on the stack.
Fix this by pre-initializing rtp_addr from the session-level connection
address (caddr) when available, and tracking via a have_rtp_addr flag
whether any valid address was established. Skip the sdp_session hook
entirely when no valid address exists.
Severity
No CVSS data available.
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/faa6ea32797a18477… | |
| https://git.kernel.org/stable/c/82baeb871e8f04906… | |
| https://git.kernel.org/stable/c/6e5e3c87b7e6212f1… | |
| https://git.kernel.org/stable/c/fe463e76c9b4b0b43… | |
| https://git.kernel.org/stable/c/7edca70751b9bdb5b… | |
| https://git.kernel.org/stable/c/01f34a80ac23ae90b… | |
| https://git.kernel.org/stable/c/52fdda318ef2362fc… | |
| https://git.kernel.org/stable/c/6a2b724460cb67cae… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
4ab9e64e5e3c0516577818804aaf13a630d67bc9 , < faa6ea32797a1847790514ff0da1be1d09771580
(git)
Affected: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 , < 82baeb871e8f04906bc886273fdf0209e1754eb3 (git) Affected: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 , < 6e5e3c87b7e6212f1d8414fc2e4d158b01e12025 (git) Affected: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 , < fe463e76c9b4b0b43b5ee8961b4c500231f1a3f6 (git) Affected: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 , < 7edca70751b9bdb5b83eed53cde21eccf3c86147 (git) Affected: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 , < 01f34a80ac23ae90b1909b94b4ed05343a62f646 (git) Affected: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 , < 52fdda318ef2362fc5936385bcb8b3d0328ee629 (git) Affected: 4ab9e64e5e3c0516577818804aaf13a630d67bc9 , < 6a2b724460cb67caed500c508c2ae5cf012e4db4 (git) |
|
| Linux | Linux |
Affected:
2.6.26
Unaffected: 0 , < 2.6.26 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.131 , ≤ 6.6.* (semver) Unaffected: 6.12.80 , ≤ 6.12.* (semver) Unaffected: 6.18.21 , ≤ 6.18.* (semver) Unaffected: 6.19.11 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_sip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "faa6ea32797a1847790514ff0da1be1d09771580",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "82baeb871e8f04906bc886273fdf0209e1754eb3",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "6e5e3c87b7e6212f1d8414fc2e4d158b01e12025",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "fe463e76c9b4b0b43b5ee8961b4c500231f1a3f6",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "7edca70751b9bdb5b83eed53cde21eccf3c86147",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "01f34a80ac23ae90b1909b94b4ed05343a62f646",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "52fdda318ef2362fc5936385bcb8b3d0328ee629",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
},
{
"lessThan": "6a2b724460cb67caed500c508c2ae5cf012e4db4",
"status": "affected",
"version": "4ab9e64e5e3c0516577818804aaf13a630d67bc9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nf_conntrack_sip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.26"
},
{
"lessThan": "2.6.26",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp\n\nprocess_sdp() declares union nf_inet_addr rtp_addr on the stack and\npasses it to the nf_nat_sip sdp_session hook after walking the SDP\nmedia descriptions. However rtp_addr is only initialized inside the\nmedia loop when a recognized media type with a non-zero port is found.\n\nIf the SDP body contains no m= lines, only inactive media sections\n(m=audio 0 ...) or only unrecognized media types, rtp_addr is never\nassigned. Despite that, the function still calls hooks-\u003esdp_session()\nwith \u0026rtp_addr, causing nf_nat_sdp_session() to format the stale stack\nvalue as an IP address and rewrite the SDP session owner and connection\nlines with it.\n\nWith CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this\nresults in the session-level o= and c= addresses being rewritten to\n0.0.0.0 for inactive SDP sessions. Without stack auto-init the\nrewritten address is whatever happened to be on the stack.\n\nFix this by pre-initializing rtp_addr from the session-level connection\naddress (caddr) when available, and tracking via a have_rtp_addr flag\nwhether any valid address was established. Skip the sdp_session hook\nentirely when no valid address exists."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:29.865Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/faa6ea32797a1847790514ff0da1be1d09771580"
},
{
"url": "https://git.kernel.org/stable/c/82baeb871e8f04906bc886273fdf0209e1754eb3"
},
{
"url": "https://git.kernel.org/stable/c/6e5e3c87b7e6212f1d8414fc2e4d158b01e12025"
},
{
"url": "https://git.kernel.org/stable/c/fe463e76c9b4b0b43b5ee8961b4c500231f1a3f6"
},
{
"url": "https://git.kernel.org/stable/c/7edca70751b9bdb5b83eed53cde21eccf3c86147"
},
{
"url": "https://git.kernel.org/stable/c/01f34a80ac23ae90b1909b94b4ed05343a62f646"
},
{
"url": "https://git.kernel.org/stable/c/52fdda318ef2362fc5936385bcb8b3d0328ee629"
},
{
"url": "https://git.kernel.org/stable/c/6a2b724460cb67caed500c508c2ae5cf012e4db4"
}
],
"title": "netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31427",
"datePublished": "2026-04-13T13:40:30.280Z",
"dateReserved": "2026-03-09T15:48:24.088Z",
"dateUpdated": "2026-05-11T22:08:29.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31428 (GCVE-0-2026-31428)
Vulnerability from cvelistv5 – Published: 2026-04-13 13:40 – Updated: 2026-05-11 22:08
VLAI
EPSS
Title
netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
__build_packet_message() manually constructs the NFULA_PAYLOAD netlink
attribute using skb_put() and skb_copy_bits(), bypassing the standard
nla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes
are allocated (including NLA alignment padding), only data_len bytes
of actual packet data are copied. The trailing nla_padlen(data_len)
bytes (1-3 when data_len is not 4-byte aligned) are never initialized,
leaking stale heap contents to userspace via the NFLOG netlink socket.
Replace the manual attribute construction with nla_reserve(), which
handles the tailroom check, header setup, and padding zeroing via
__nla_reserve(). The subsequent skb_copy_bits() fills in the payload
data on top of the properly initialized attribute.
Severity
No CVSS data available.
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://git.kernel.org/stable/c/7f3e5d72455936f42… | |
| https://git.kernel.org/stable/c/21d8efda029948d36… | |
| https://git.kernel.org/stable/c/fc961dd7272b5e4a4… | |
| https://git.kernel.org/stable/c/a8365d1064ded3237… | |
| https://git.kernel.org/stable/c/a2f6ff3444b663d6c… | |
| https://git.kernel.org/stable/c/c9f6c51d36482805a… | |
| https://git.kernel.org/stable/c/7eff72968161fb8dd… | |
| https://git.kernel.org/stable/c/52025ebaa29f4eb4e… |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
df6fb868d6118686805c2fa566e213a8f31c8e4f , < 7f3e5d72455936f42709116fabeca3bb216cda62
(git)
Affected: df6fb868d6118686805c2fa566e213a8f31c8e4f , < 21d8efda029948d3666b0db5afcc0d36c0984aae (git) Affected: df6fb868d6118686805c2fa566e213a8f31c8e4f , < fc961dd7272b5e4a462999635e44a4770d7f2482 (git) Affected: df6fb868d6118686805c2fa566e213a8f31c8e4f , < a8365d1064ded323797c5e28e91070c52f44b76c (git) Affected: df6fb868d6118686805c2fa566e213a8f31c8e4f , < a2f6ff3444b663d6cfa63eadd61327a18592885a (git) Affected: df6fb868d6118686805c2fa566e213a8f31c8e4f , < c9f6c51d36482805ac3ffadb9663fe775a13e926 (git) Affected: df6fb868d6118686805c2fa566e213a8f31c8e4f , < 7eff72968161fb8ddb26113344de3b92fb7d7ef5 (git) Affected: df6fb868d6118686805c2fa566e213a8f31c8e4f , < 52025ebaa29f4eb4ed8bf92ce83a68f24ab7fdf7 (git) |
|
| Linux | Linux |
Affected:
2.6.24
Unaffected: 0 , < 2.6.24 (semver) Unaffected: 5.10.253 , ≤ 5.10.* (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.131 , ≤ 6.6.* (semver) Unaffected: 6.12.80 , ≤ 6.12.* (semver) Unaffected: 6.18.21 , ≤ 6.18.* (semver) Unaffected: 6.19.11 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f3e5d72455936f42709116fabeca3bb216cda62",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "21d8efda029948d3666b0db5afcc0d36c0984aae",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "fc961dd7272b5e4a462999635e44a4770d7f2482",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "a8365d1064ded323797c5e28e91070c52f44b76c",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "a2f6ff3444b663d6cfa63eadd61327a18592885a",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "c9f6c51d36482805ac3ffadb9663fe775a13e926",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "7eff72968161fb8ddb26113344de3b92fb7d7ef5",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
},
{
"lessThan": "52025ebaa29f4eb4ed8bf92ce83a68f24ab7fdf7",
"status": "affected",
"version": "df6fb868d6118686805c2fa566e213a8f31c8e4f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nfnetlink_log.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.24"
},
{
"lessThan": "2.6.24",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.131",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.131",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "2.6.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "2.6.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD\n\n__build_packet_message() manually constructs the NFULA_PAYLOAD netlink\nattribute using skb_put() and skb_copy_bits(), bypassing the standard\nnla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes\nare allocated (including NLA alignment padding), only data_len bytes\nof actual packet data are copied. The trailing nla_padlen(data_len)\nbytes (1-3 when data_len is not 4-byte aligned) are never initialized,\nleaking stale heap contents to userspace via the NFLOG netlink socket.\n\nReplace the manual attribute construction with nla_reserve(), which\nhandles the tailroom check, header setup, and padding zeroing via\n__nla_reserve(). The subsequent skb_copy_bits() fills in the payload\ndata on top of the properly initialized attribute."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:08:31.017Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f3e5d72455936f42709116fabeca3bb216cda62"
},
{
"url": "https://git.kernel.org/stable/c/21d8efda029948d3666b0db5afcc0d36c0984aae"
},
{
"url": "https://git.kernel.org/stable/c/fc961dd7272b5e4a462999635e44a4770d7f2482"
},
{
"url": "https://git.kernel.org/stable/c/a8365d1064ded323797c5e28e91070c52f44b76c"
},
{
"url": "https://git.kernel.org/stable/c/a2f6ff3444b663d6cfa63eadd61327a18592885a"
},
{
"url": "https://git.kernel.org/stable/c/c9f6c51d36482805ac3ffadb9663fe775a13e926"
},
{
"url": "https://git.kernel.org/stable/c/7eff72968161fb8ddb26113344de3b92fb7d7ef5"
},
{
"url": "https://git.kernel.org/stable/c/52025ebaa29f4eb4ed8bf92ce83a68f24ab7fdf7"
}
],
"title": "netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31428",
"datePublished": "2026-04-13T13:40:30.987Z",
"dateReserved": "2026-03-09T15:48:24.089Z",
"dateUpdated": "2026-05-11T22:08:31.017Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32316 (GCVE-0-2026-32316)
Vulnerability from cvelistv5 – Published: 2026-04-13 17:49 – Updated: 2026-04-13 18:56
VLAI
EPSS
Title
jq: Integer overflow in jvp_string_append() allows Heap-based Buffer Overflow
Summary
jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5.
Severity
8.2 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jqlang/jq/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/jqlang/jq/commit/e47e56d226519… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32316",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T18:56:45.829031Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T18:56:54.199Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jq",
"vendor": "jqlang",
"versions": [
{
"status": "affected",
"version": "\u003c e47e56d226519635768e6aab2f38f0ab037c09e5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T17:49:34.095Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jqlang/jq/security/advisories/GHSA-q3h9-m34w-h76f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jqlang/jq/security/advisories/GHSA-q3h9-m34w-h76f"
},
{
"name": "https://github.com/jqlang/jq/commit/e47e56d226519635768e6aab2f38f0ab037c09e5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jqlang/jq/commit/e47e56d226519635768e6aab2f38f0ab037c09e5"
}
],
"source": {
"advisory": "GHSA-q3h9-m34w-h76f",
"discovery": "UNKNOWN"
},
"title": "jq: Integer overflow in jvp_string_append() allows Heap-based Buffer Overflow"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32316",
"datePublished": "2026-04-13T17:49:34.095Z",
"dateReserved": "2026-03-11T21:16:21.660Z",
"dateUpdated": "2026-04-13T18:56:54.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33947 (GCVE-0-2026-33947)
Vulnerability from cvelistv5 – Published: 2026-04-13 21:50 – Updated: 2026-04-16 03:03
VLAI
EPSS
Title
jq: Unbounded Recursion in jv_setpath(), jv_getpath() and delpaths_sorted()
Summary
jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass works because the existing MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not runtime path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins. This issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f.
Severity
6.2 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/jqlang/jq/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/jqlang/jq/commit/fb59f1491058d… | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2026/04/16/1 |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33947",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T13:45:08.694594Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T13:45:13.483Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-04-16T03:03:39.478Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/16/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jq",
"vendor": "jqlang",
"versions": [
{
"status": "affected",
"version": "\u003c fb59f1491058d58bdc3e8dd28f1773d1ac690a1f"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq\u0027s src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass works because the existing MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not runtime path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON input through jq\u0027s setpath, getpath, or delpaths builtins. This issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674: Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T21:50:18.814Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg"
},
{
"name": "https://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f"
}
],
"source": {
"advisory": "GHSA-xwrw-4f8h-rjvg",
"discovery": "UNKNOWN"
},
"title": "jq: Unbounded Recursion in jv_setpath(), jv_getpath() and delpaths_sorted()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33947",
"datePublished": "2026-04-13T21:50:18.814Z",
"dateReserved": "2026-03-24T19:50:52.105Z",
"dateUpdated": "2026-04-16T03:03:39.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33948 (GCVE-0-2026-33948)
Vulnerability from cvelistv5 – Published: 2026-04-13 23:51 – Updated: 2026-04-14 15:53
VLAI
EPSS
Title
jq: Embedded-NUL Truncation in CLI JSON Input Path Causes Prefix-Only Validation of Malformed Input
Summary
jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, as those consumers may process the full input including the malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/jqlang/jq/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/jqlang/jq/commit/6374ae0bcdfe3… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33948",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:53:20.536777Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T15:53:38.340Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jq",
"vendor": "jqlang",
"versions": [
{
"status": "affected",
"version": "\u003c 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, as those consumers may process the full input including the malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.9,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-170",
"description": "CWE-170: Improper Null Termination",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T23:51:04.144Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jqlang/jq/security/advisories/GHSA-32cx-cvvh-2wj9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jqlang/jq/security/advisories/GHSA-32cx-cvvh-2wj9"
},
{
"name": "https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b"
}
],
"source": {
"advisory": "GHSA-32cx-cvvh-2wj9",
"discovery": "UNKNOWN"
},
"title": "jq: Embedded-NUL Truncation in CLI JSON Input Path Causes Prefix-Only Validation of Malformed Input"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33948",
"datePublished": "2026-04-13T23:51:04.144Z",
"dateReserved": "2026-03-24T19:50:52.105Z",
"dateUpdated": "2026-04-14T15:53:38.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34445 (GCVE-0-2026-34445)
Vulnerability from cvelistv5 – Published: 2026-04-01 17:30 – Updated: 2026-04-01 18:00
VLAI
EPSS
Title
ONNX: Malicious ONNX models can crash servers by exploiting unprotected object settings.
Summary
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the "keys" in the file were valid. Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0.
Severity
8.6 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/onnx/onnx/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/onnx/onnx/pull/7751 | x_refsource_MISC |
| https://github.com/onnx/onnx/commit/e30c6935d67cc… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34445",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T17:59:29.944812Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T18:00:14.120Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "onnx",
"vendor": "onnx",
"versions": [
{
"status": "affected",
"version": "\u003c 1.21.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python\u2019s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn\u2019t check if the \"keys\" in the file were valid. Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T17:30:19.994Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/onnx/onnx/security/advisories/GHSA-538c-55jv-c5g9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/onnx/onnx/security/advisories/GHSA-538c-55jv-c5g9"
},
{
"name": "https://github.com/onnx/onnx/pull/7751",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/onnx/onnx/pull/7751"
},
{
"name": "https://github.com/onnx/onnx/commit/e30c6935d67cc3eca2fa284e37248e7c0036c46b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/onnx/onnx/commit/e30c6935d67cc3eca2fa284e37248e7c0036c46b"
}
],
"source": {
"advisory": "GHSA-538c-55jv-c5g9",
"discovery": "UNKNOWN"
},
"title": "ONNX: Malicious ONNX models can crash servers by exploiting unprotected object settings."
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34445",
"datePublished": "2026-04-01T17:30:19.994Z",
"dateReserved": "2026-03-27T18:18:14.894Z",
"dateUpdated": "2026-04-01T18:00:14.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34446 (GCVE-0-2026-34446)
Vulnerability from cvelistv5 – Published: 2026-04-01 17:37 – Updated: 2026-04-02 14:10
VLAI
EPSS
Title
ONNX: Arbitrary File Read via ExternalData Hardlink Bypass in ONNX load
Summary
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0.
Severity
4.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/onnx/onnx/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/onnx/onnx/commit/4755f8053928d… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34446",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T14:10:29.172559Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T14:10:36.637Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "onnx",
"vendor": "onnx",
"versions": [
{
"status": "affected",
"version": "\u003c 1.21.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T17:37:54.737Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/onnx/onnx/security/advisories/GHSA-cmw6-hcpp-c6jp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/onnx/onnx/security/advisories/GHSA-cmw6-hcpp-c6jp"
},
{
"name": "https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/onnx/onnx/commit/4755f8053928dce18a61db8fec71b69c74f786cb"
}
],
"source": {
"advisory": "GHSA-cmw6-hcpp-c6jp",
"discovery": "UNKNOWN"
},
"title": "ONNX: Arbitrary File Read via ExternalData Hardlink Bypass in ONNX load"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34446",
"datePublished": "2026-04-01T17:37:54.737Z",
"dateReserved": "2026-03-27T18:18:14.894Z",
"dateUpdated": "2026-04-02T14:10:36.637Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34978 (GCVE-0-2026-34978)
Vulnerability from cvelistv5 – Published: 2026-04-03 21:15 – Updated: 2026-04-06 15:42
VLAI
EPSS
Title
OpenPrinting CUPS: Path traversal in RSS notify-recipient-uri enables file write outside CacheDir/rss (and clobbering of job.cache)
Summary
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly available patches.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/OpenPrinting/cups/security/adv… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OpenPrinting | cups |
Affected:
<= 2.4.16
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34978",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T15:39:23.842578Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T15:42:42.322Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-f53q-7mxp-9gcr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cups",
"vendor": "OpenPrinting",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.4.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly available patches."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T21:15:15.921Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-f53q-7mxp-9gcr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OpenPrinting/cups/security/advisories/GHSA-f53q-7mxp-9gcr"
}
],
"source": {
"advisory": "GHSA-f53q-7mxp-9gcr",
"discovery": "UNKNOWN"
},
"title": "OpenPrinting CUPS: Path traversal in RSS notify-recipient-uri enables file write outside CacheDir/rss (and clobbering of job.cache)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34978",
"datePublished": "2026-04-03T21:15:15.921Z",
"dateReserved": "2026-03-31T19:38:31.617Z",
"dateUpdated": "2026-04-06T15:42:42.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…