Filtered by vendor Debian
Subscriptions
Total
10160 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-3910 | 2 Cloudflare, Debian | 2 Octorpki, Debian Linux | 2026-04-15 | 4.4 Medium |
| OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\0) character). | ||||
| CVE-2024-37017 | 1 Debian | 1 As Dcp Lib | 2026-04-15 | 8.1 High |
| asdcplib (aka AS-DCP Lib) 2.13.1 has a heap-based buffer over-read in ASDCP::TimedText::MXFReader::h__Reader::MD_to_TimedText_TDesc in AS_DCP_TimedText.cpp in libasdcp.so. | ||||
| CVE-2025-62672 | 2 Boyns, Debian | 2 Rplay, Debian Linux | 2026-04-15 | 5.3 Medium |
| rplay through 3.3.2 allows attackers to cause a denial of service (SIGSEGV and daemon crash) or possibly have unspecified other impact. This occurs in memcpy in the RPLAY_DATA case in rplay_unpack in librplay/rplay.c, potentially reachable via packet data with no authentication. | ||||
| CVE-2025-68462 | 1 Debian | 1 Freedombox | 2026-04-15 | 3.2 Low |
| Freedombox before 25.17.1 does not set proper permissions for the backups-data directory, allowing the reading of dump files of databases. | ||||
| CVE-2025-62600 | 2 Debian, Eprosima | 2 Debian Linux, Fast Dds | 2026-04-14 | 8.6 High |
| eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by tampering with the length field in readBinaryPropertySeq— are modified, an integer overflow occurs, leading to an OOM during the resize operation. This vulnerability is fixed in 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1. | ||||
| CVE-2022-0778 | 8 Debian, Fedoraproject, Mariadb and 5 more | 25 Debian Linux, Fedora, Mariadb and 22 more | 2026-04-14 | 7.5 High |
| The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). | ||||
| CVE-2020-26147 | 5 Arista, Debian, Linux and 2 more | 15 C-65, C-65 Firmware, C-75 and 12 more | 2026-04-14 | 5.4 Medium |
| An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. | ||||
| CVE-2020-26139 | 6 Arista, Cisco, Debian and 3 more | 331 C-100, C-100 Firmware, C-110 and 328 more | 2026-04-14 | 5.3 Medium |
| An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. | ||||
| CVE-2020-24588 | 9 Arista, Cisco, Debian and 6 more | 351 C-100, C-100 Firmware, C-110 and 348 more | 2026-04-14 | 3.5 Low |
| The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. | ||||
| CVE-2020-11022 | 9 Debian, Drupal, Fedoraproject and 6 more | 88 Debian Linux, Drupal, Fedora and 85 more | 2026-04-13 | 6.9 Medium |
| In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | ||||
| CVE-2025-62599 | 2 Debian, Eprosima | 2 Debian Linux, Fast Dds | 2026-04-09 | 8.6 High |
| eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by tampering with the length field in readPropertySeq — are modified, an integer overflow occurs, leading to an OOM during the resize operation. This vulnerability is fixed in 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1. | ||||
| CVE-2024-44986 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2026-04-09 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible UAF in ip6_finish_output2() If skb_expand_head() returns NULL, skb has been freed and associated dst/idev could also have been freed. We need to hold rcu_read_lock() to make sure the dst and associated idev are alive. | ||||
| CVE-2024-44977 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2026-04-09 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Validate TA binary size Add TA binary size validation to avoid OOB write. (cherry picked from commit c0a04e3570d72aaf090962156ad085e37c62e442) | ||||
| CVE-2024-44974 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2026-04-09 | 7.8 High |
| In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: avoid possible UaF when selecting endp select_local_address() and select_signal_address() both select an endpoint entry from the list inside an RCU protected section, but return a reference to it, to be read later on. If the entry is dereferenced after the RCU unlock, reading info could cause a Use-after-Free. A simple solution is to copy the required info while inside the RCU protected section to avoid any risk of UaF later. The address ID might need to be modified later to handle the ID0 case later, so a copy seems OK to deal with. | ||||
| CVE-2025-63261 | 3 Awstats, Debian, Eldy | 3 Awstats, Debian Linux, Awstats | 2026-04-08 | 7.8 High |
| AWStats 8.0 is vulnerable to Command Injection via the open function | ||||
| CVE-2025-22040 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2026-04-06 | 8.8 High |
| In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix session use-after-free in multichannel connection There is a race condition between session setup and ksmbd_sessions_deregister. The session can be freed before the connection is added to channel list of session. This patch check reference count of session before freeing it. | ||||
| CVE-2025-22042 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2026-04-06 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: ksmbd: add bounds check for create lease context Add missing bounds check for create lease context. | ||||
| CVE-2024-2961 | 4 Debian, Gnu, Netapp and 1 more | 29 Debian Linux, Glibc, Active Iq Unified Manager and 26 more | 2026-04-03 | 7.3 High |
| The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable. | ||||
| CVE-2025-24201 | 3 Apple, Debian, Redhat | 13 Ipados, Iphone Os, Macos and 10 more | 2026-04-03 | 10 Critical |
| An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in Safari 18.3.1, iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iOS 18.3.2 and iPadOS 18.3.2, iPadOS 17.7.6, macOS Sequoia 15.3.2, visionOS 2.3.2, watchOS 11.4. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.). | ||||
| CVE-2024-44309 | 3 Apple, Debian, Redhat | 13 Ipad Os, Ipados, Iphone Os and 10 more | 2026-04-03 | 6.3 Medium |
| A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, macOS Sequoia 15.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems. | ||||