Ho-9

**Name of the Vulnerable Software and Affected Versions** jq versions prior to 2f09060afab23fe9390cce7cb860b10416e1bf5f **Description** The `jv parse sized()` API in libjq accepts a counted buffer with an explicit length parameter. However, its error-handling path formats the input buffer using %s in `jv string fmt()`, which reads until a NUL terminator is found instead of respecting the provided length. When malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. This can lead to memory disclosure or process termination depending on the memory layout. **Recommendations** Update to version 2f09060afab23fe9390cce7cb860b10416e1bf5f.

**Name of the Vulnerable Software and Affected Versions** jq versions prior to commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b **Description** CLI input parsing allows validation bypass via embedded NUL bytes when reading JSON from files or stdin. The software uses `strlen()` to determine buffer length instead of the actual byte count from `fgets()`, causing input to be truncated at the first NUL byte and parsing only the preceding prefix. This allows an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data; the system validates only the prefix as valid JSON while silently discarding the suffix. Workflows that rely on the tool to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, where consumers may process the full input including the malicious trailing bytes. **Recommendations** Update to the version containing commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.

**Name of the Vulnerable Software and Affected Versions** Electron versions prior to 39.8.5 Electron versions prior to 40.8.5 Electron versions prior to 41.1.0 Electron versions prior to 42.0.0-alpha.5 **Description** Electron did not correctly scope the named-window lookup to the opener's browsing context group when a renderer calls `window.open()` with a target name. This allowed a renderer to navigate an existing child window opened by a different renderer if both used the same target name. If the existing child window was created with more permissive `webPreferences` through `setWindowOpenHandler`'s `overrideBrowserWindowOptions`, the content loaded by the second renderer inherited those permissions. Applications are affected only if they open multiple top-level windows with differing trust levels and use `setWindowOpenHandler` to grant child windows elevated `webPreferences`, such as a privileged preload script. Applications that do not elevate child window privileges or use a single top-level window are not affected. Applications that grant `nodeIntegration: true` or `sandbox: false` to child windows may be exposed to arbitrary code execution. **Recommendations** Update to Electron version 39.8.5 or later. Update to Electron version 40.8.5 or later. Update to Electron version 41.1.0 or later. Update to Electron version 42.0.0-alpha.5 or later. Deny `window.open()` in renderers that load untrusted content by returning `{ action: 'deny' }` from `setWindowOpenHandler`. Avoid granting child windows more permissive `webPreferences` than their opener.

**Name of the Vulnerable Software and Affected Versions** Cap'n Proto versions prior to 1.4.0 **Description** Cap'n Proto is a data interchange format and capability-based RPC system. Prior to version 1.4.0, a negative `Content-Length` value was converted to unsigned, resulting in it being treated as an impossibly large length. This could potentially enable HTTP request/response smuggling. The issue is related to integer overflow in KJ-HTTP. **Recommendations** Update to Cap'n Proto version 1.4.0 or later.

**Name of the Vulnerable Software and Affected Versions** Cap'n Proto versions prior to 1.4.0 **Description** Cap'n Proto is a data interchange format and capability-based RPC system. Prior to version 1.4.0, when using Transfer-Encoding: chunked, if a chunk's size was parsed to a value of 2^64 or larger, it would be truncated to a 64-bit integer. This could potentially enable HTTP request/response smuggling. The issue is related to the parsing of chunk sizes in HTTP requests when the `Transfer-Encoding` is set to `chunked`. **Recommendations** Versions prior to 1.4.0 should be updated to version 1.4.0 or later.

**Name of the Vulnerable Software and Affected Versions** NanaZip versions 5.0.1252.0 through 6.0.1637.0 and 6.5.1637.0 **Description** NanaZip, an open source file archive, contains a flaw in its `.NET Single File Application` parser. Specifically, the parser exhibits an out-of-bounds read condition during manifest parsing. A specially crafted file can provide a malformed `RelativePathLength` value, causing the parser to construct a `std::string` using memory beyond the `HeaderBuffer`. This can lead to a program crash and potential in-process memory disclosure. **Recommendations** Update to NanaZip version 6.0.1638.0 or 6.5.1638.0.

Name of the Vulnerable Software and Affected Versions NanaZip versions 5.0.1252.0 through 6.0.1637.0 NanaZip versions 6.5.1637.0 Description NanaZip contains a flaw in its `.NET Single File Application` parser that can lead to a denial-of-service condition. A specially crafted archive can cause an integer underflow during header-size calculation, resulting in an attempt to allocate an unbounded amount of memory when the archive is opened. Recommendations Update to NanaZip version 6.0.1638.0 or later. Update to NanaZip version 6.5.1638.0 or later.

Name of the Vulnerable Software and Affected Versions NanaZip versions 5.0.1252.0 through 6.0.1637.0 NanaZip versions 6.5.1637.0 Description NanaZip, an open source file archive, contains a memory corruption issue in its UFS parser. A specially crafted `.ufs`, `.ufs2`, or `.img` file can cause out-of-bounds memory access when the archive is opened or listed. This flaw is reachable through normal user file-open operations and may lead to process crashes, hangs, and potentially exploitable heap corruption. Recommendations Update to NanaZip version 6.0.1638.0 or later. Update to NanaZip version 6.5.1638.0 or later.

**Name of the Vulnerable Software and Affected Versions** BACnet Stack versions prior to 1.5.0rc4 BACnet Stack versions prior to 1.4.3rc2 **Description** BACnet Stack is a BACnet open source protocol stack C library for embedded systems. A crafted WriteProperty request can cause a length underflow in the BACnet stack, resulting in an out-of-bounds read and a denial-of-service (DoS) condition. The issue resides in the `wp decode service request` function within the `wp.c` file. Specifically, the `bacnet unsigned context decode` function receives an incorrect size calculation (`apdu len - apdu size`) due to a missing validation check where `apdu size` is greater than `apdu len`, leading to the out-of-bounds read. **Recommendations** Update to BACnet Stack version 1.5.0rc4 or later. Update to BACnet Stack version 1.4.3rc2 or later.