Joshua Rogers

**Name of the Vulnerable Software and Affected Versions** image-size versions prior to 2.0.3 **Description** A denial of service issue exists where remote attackers can permanently block the Node.js event loop. By supplying a specially crafted image buffer containing a box-type with a zero-valued size field, an infinite loop is triggered within the JXL or HEIF image parsers. This causes the offset to never advance, resulting in the application hanging permanently. **Recommendations** Update to version 2.0.3 or later.

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** A NULL pointer dereference occurs when partial-chain certificate verification is enabled alongside OCSP response checking for the entire chain, provided the verified chain lacks a self-signed trusted anchor. This happens because the code attempts to access the next certificate as the issuer, but the issuer remains NULL for the final certificate in the chain under these specific conditions. This can lead to a process crash and a subsequent Denial of Service. The issue specifically affects applications that enable both the `X509 V FLAG OCSP RESP CHECK ALL` and `X509 V FLAG PARTIAL CHAIN` flags, both of which are disabled by default. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. Avoid enabling both `X509 V FLAG OCSP RESP CHECK ALL` and `X509 V FLAG PARTIAL CHAIN` flags simultaneously during certificate verification.

**Name of the Vulnerable Software and Affected Versions** FreeBSD libcasper(3) (affected versions not specified) **Description** libcasper(3) communicates with helper processes via UNIX domain sockets and utilizes the `select(2)` system call to wait for available data. The software fails to verify if the socket descriptor is within the `FD SETSIZE` limit of 1024. An attacker can trigger stack corruption by causing an application using libcasper(3) to allocate large file descriptors, such as by opening numerous descriptors and executing a program that does not close them upon startup. If the target application runs with setuid root privileges, this can lead to local privilege escalation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** fusefs (affected versions not specified) **Description** When a fusefs file system implements extended attributes, the kernel may send a FUSE LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module uses the `strlen()` function on this buffer without verifying that the list is NUL-terminated. A malicious daemon can send a non-NUL-terminated list, causing the kernel module to read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer. This can lead to the disclosure of up to 253 bytes of kernel heap memory or the injection of up to 250 attacker-controlled bytes into unallocated kernel heap space. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** cap net service (affected versions not specified) **Description** An issue exists in the `cap net` service where omitting a key from a new limit that was present in the old limit causes the missing key to be treated as allow any instead of being rejected. This allows an application that previously had restricted network operations to request a new limit that extends the process permissions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** rsync versions prior to 3.4.3 **Description** An authorization bypass exists in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record (a DNS record that maps an IP address to a hostname) for their source IP address. This allows connections from hostnames that administrators intended to deny in scenarios where reverse DNS resolution fails and defaults to UNKNOWN. **Recommendations** Update to version 3.4.3 or later.

**Name of the Vulnerable Software and Affected Versions** iOS versions prior to 26.5 iPadOS versions prior to 26.5 macOS Tahoe versions prior to 26.5 tvOS versions prior to 26.5 visionOS versions prior to 26.5 watchOS versions prior to 26.5 **Description** Processing maliciously crafted web content may lead to an unexpected process crash due to improper memory handling. **Recommendations** Update iOS to version 26.5. Update iPadOS to version 26.5. Update macOS Tahoe to version 26.5. Update tvOS to version 26.5. Update visionOS to version 26.5. Update watchOS to version 26.5.

**Name of the Vulnerable Software and Affected Versions** gnutls versions prior to 3.8.13-1.1 **Description** No detailed information was provided regarding the nature of the security issues fixed in this package. **Recommendations** Update to version 3.8.13-1.1.

**Name of the Vulnerable Software and Affected Versions** FreeBSD dhclient (affected versions not specified) **Description** The FreeBSD DHCP client fails to escape embedded double-quotes when writing the BOOTP `file` field to the lease file. This allows a rogue DHCP server on the same network to inject arbitrary `dhclient.conf` directives. When the lease file is re-parsed, such as after a system restart, the attacker-controlled field is passed to the `dhclient-script()` function, which evaluates it, potentially leading to arbitrary code execution with root privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libnv (affected versions not specified) **Description** When exchanging data over a socket, the software uses the `select()` function to wait for data. It fails to verify if the provided socket descriptor exceeds the file descriptor set size limit of `FD SETSIZE` (1024). An attacker capable of forcing the application to allocate large file descriptors can trigger stack corruption. If the target application is setuid-root, this may lead to local privilege escalation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** gnutls versions prior to 3.8.13-1.1 **Description** No detailed information was provided regarding the nature of the security issues fixed in this package. **Recommendations** Update to version 3.8.13-1.1.

**Name of the Vulnerable Software and Affected Versions** gnutls versions prior to 3.8.13-1.1 **Description** Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) incorrectly match usernames containing a NUL character with truncated usernames. A remote attacker can exploit this by sending a specially crafted username to bypass the authentication process and gain unauthorized access. **Recommendations** Update to version 3.8.13-1.1.

**Name of the Vulnerable Software and Affected Versions** dhclient (affected versions not specified) **Description** When building an environment to pass to dhclient-script, the software may resize the array of string pointers. The code responsible for expanding this array incorrectly calculates the new memory size, leading to a heap buffer overrun (a memory corruption where data is written beyond the boundaries of a heap-allocated buffer). A specially crafted packet can trigger this overrun, potentially causing a system crash or allowing remote code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions OpenSSL versions 3.0 through 3.6 Description Processing a specially crafted CMS EnvelopedData message with KeyTransportRecipientInfo can lead to a NULL pointer dereference. This can cause applications that process attacker-controlled CMS data to crash before authentication or cryptographic operations, resulting in a Denial of Service. The issue occurs when examining the optional parameters field of RSA-OAEP SourceFunc algorithm identifier without verifying its presence, leading to a NULL pointer dereference if the field is missing. Applications and services using CMS decrypt() on untrusted input, such as S/MIME processing or CMS-based protocols, are affected. Recommendations Update to a version after 3.6. Update to a version after 3.5. Update to a version after 3.4. Update to a version after 3.3. Update to a version after 3.0.

Name of the Vulnerable Software and Affected Versions OpenSSL versions 3.0 through 3.6 Description Processing a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo can lead to a NULL pointer dereference. This can cause applications that process attacker-controlled CMS data to crash before authentication or cryptographic operations, resulting in a Denial of Service. The issue occurs when the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence, leading to a NULL pointer dereference if the field is missing. Applications and services calling CMS decrypt() on untrusted input, such as S/MIME processing or CMS-based protocols, are affected. Recommendations Update to a version after 3.6. As a temporary workaround, avoid processing untrusted CMS EnvelopedData messages with KeyAgreeRecipientInfo.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 11.2.x through 11.2.2 Mattermost versions 10.11.x through 10.11.10 Mattermost versions 11.4.x through 11.4.0 Mattermost versions 11.3.x through 11.3.1 **Description** The software does not properly validate Cross-Site Request Forgery (CSRF) tokens. This allows an attacker to potentially trick an administrator into modifying the active status of access control policies through a specially crafted request. The issue affects the `/api/v4/access control policies/{policy id}/activate` API endpoint, where `{policy id}` represents a vulnerable parameter. **Recommendations** Update Mattermost to a version later than 11.2.2. Update Mattermost to a version later than 10.11.10. Update Mattermost to a version later than 11.4.0. Update Mattermost to a version later than 11.3.1.

**Name of the Vulnerable Software and Affected Versions** AWS-LC versions prior to 1.69.0 **Description** An observable timing discrepancy in AES-CCM decryption within AWS-LC could allow an unauthenticated user to potentially determine authentication tag validity through timing analysis. The impacted implementations utilize the EVP CIPHER API, specifically `EVP aes 128 ccm`, `EVP aes 192 ccm`, and `EVP aes 256 ccm`. **Recommendations** Upgrade to AWS-LC version 1.69.0.

**Name of the Vulnerable Software and Affected Versions** AWS-LC versions prior to 1.69.0 **Description** A flaw exists in the `PKCS7 verify()` function within AWS-LC that allows an unauthenticated user to circumvent certificate chain verification when handling PKCS7 objects containing multiple signers, excluding the final signer. This improper certificate validation could potentially allow malicious actors to compromise the integrity of secure communications. **Recommendations** Upgrade AWS-LC to version 1.69.0 or later.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 11.3.x through 11.3.0 **Description** Mattermost versions 11.3.x through 11.3.0 do not maintain the redacted status of burn-on-read posts when they are deleted. This allows channel members to view the content of burn-on-read messages that were intended to be hidden through the WebSocket post deletion event. The issue is related to the handling of post deletion events and the preservation of redaction states. **Recommendations** Update Mattermost to a version later than 11.3.0.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.11.0 through 10.11.10 **Description** Mattermost fails to invalidate cached permalink preview data when a user loses channel access. This allows a user to continue viewing private channel content through previously cached permalink previews until the cache is reset or the user logs in again. The issue is identified by Mattermost Advisory ID MMSA-2026-00580. **Recommendations** Mattermost versions 10.11.0 through 10.11.10 should be updated to a version where this issue is resolved.