Dangerzone Security Dashboard
- Target
- ghcr.io/freedomofpress/dangerzone/v1:20260527-root-40-g09c132f
- Date
- 2026-05-27T03:10:40.30711804Z
Critical
0
High
31
Medium
113
Low
14
Unknown
1
| Name | Version | Type | Vulnerability | Severity | State | Fixed In | Description | Related URLs | PURL |
|---|---|---|---|---|---|---|---|---|---|
| login.defs | 1:4.17.4-2 | deb | CVE-2024-56433 | Low | wont-fix | N/A | shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid. | [] | pkg:deb/debian/login.defs@1%3A4.17.4-2?arch=all&distro=debian-13&upstream=shadow |
| passwd | 1:4.17.4-2 | deb | CVE-2024-56433 | Low | wont-fix | N/A | shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid. | [] | pkg:deb/debian/passwd@1%3A4.17.4-2?arch=amd64&distro=debian-13&upstream=shadow |
| libpoppler147 | 25.03.0-5+deb13u2 | deb | CVE-2019-9543 | Low | wont-fix | N/A | An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readGenericBitmap() located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfseparate binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to JArithmeticDecoder::decodeBit. | [] | pkg:deb/debian/libpoppler147@25.03.0-5%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=poppler |
| libmupdf25.1 | 1.25.1+ds1-6+deb13u1 | deb | CVE-2025-46206 | Medium | wont-fix | N/A | An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to cause a denial of service via an infinite recursion in the `mutool clean` utility. When processing a crafted PDF file containing cyclic /Next references in the outline structure, the `strip_outline()` function enters infinite recursion | [] | pkg:deb/debian/libmupdf25.1@1.25.1%2Bds1-6%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=mupdf |
| python3-mupdf | 1.25.1+ds1-6+deb13u1 | deb | CVE-2025-46206 | Medium | wont-fix | N/A | An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to cause a denial of service via an infinite recursion in the `mutool clean` utility. When processing a crafted PDF file containing cyclic /Next references in the outline structure, the `strip_outline()` function enters infinite recursion | [] | pkg:deb/debian/python3-mupdf@1.25.1%2Bds1-6%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=mupdf |
| libopenjp2-7 | 2.5.3-2.1~deb13u2 | deb | CVE-2019-6988 | Low | wont-fix | N/A | An issue was discovered in OpenJPEG 2.3.0. It allows remote attackers to cause a denial of service (attempted excessive memory allocation) in opj_calloc in openjp2/opj_malloc.c, when called from opj_tcd_init_tile in openjp2/tcd.c, as demonstrated by the 64-bit opj_decompress. | [] | pkg:deb/debian/libopenjp2-7@2.5.3-2.1~deb13u2?arch=amd64&distro=debian-13&upstream=openjpeg2 |
| libcairo2 | 1.18.4-1+b1 | deb | CVE-2017-7475 | Low | wont-fix | N/A | Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash. | [] | pkg:deb/debian/libcairo2@1.18.4-1%2Bb1?arch=amd64&distro=debian-13&upstream=cairo%401.18.4-1 |
| libpoppler147 | 25.03.0-5+deb13u2 | deb | CVE-2019-9545 | Low | wont-fix | N/A | An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readTextRegion() located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to JBIG2Bitmap::clearToZero. | [] | pkg:deb/debian/libpoppler147@25.03.0-5%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=poppler |
| libxml2 | 2.12.7+dfsg+really2.9.14-2.1+deb13u2 | deb | CVE-2026-6732 | High | not-fixed | N/A | A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable. | [] | pkg:deb/debian/libxml2@2.12.7%2Bdfsg%2Breally2.9.14-2.1%2Bdeb13u2?arch=amd64&distro=debian-13 |
| libtasn1-6 | 4.20.0-2 | deb | CVE-2025-13151 | High | wont-fix | N/A | Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string. | [] | pkg:deb/debian/libtasn1-6@4.20.0-2?arch=amd64&distro=debian-13 |
| libexpat1 | 2.7.1-2 | deb | CVE-2025-59375 | High | wont-fix | N/A | libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing. | [] | pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat |
| libpython3.13 | 3.13.5-2+deb13u2 | deb | CVE-2025-15366 | Medium | wont-fix | N/A | The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | [] | pkg:deb/debian/libpython3.13@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13 | 3.13.5-2+deb13u2 | deb | CVE-2025-15367 | Medium | wont-fix | N/A | The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | [] | pkg:deb/debian/libpython3.13@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-minimal | 3.13.5-2+deb13u2 | deb | CVE-2025-15366 | Medium | wont-fix | N/A | The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | [] | pkg:deb/debian/libpython3.13-minimal@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-minimal | 3.13.5-2+deb13u2 | deb | CVE-2025-15367 | Medium | wont-fix | N/A | The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | [] | pkg:deb/debian/libpython3.13-minimal@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-stdlib | 3.13.5-2+deb13u2 | deb | CVE-2025-15366 | Medium | wont-fix | N/A | The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | [] | pkg:deb/debian/libpython3.13-stdlib@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-stdlib | 3.13.5-2+deb13u2 | deb | CVE-2025-15367 | Medium | wont-fix | N/A | The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | [] | pkg:deb/debian/libpython3.13-stdlib@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=python3.13 |
| python3.13 | 3.13.5-2+deb13u2 | deb | CVE-2025-15366 | Medium | wont-fix | N/A | The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | [] | pkg:deb/debian/python3.13@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13 |
| python3.13 | 3.13.5-2+deb13u2 | deb | CVE-2025-15367 | Medium | wont-fix | N/A | The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | [] | pkg:deb/debian/python3.13@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13 |
| python3.13-minimal | 3.13.5-2+deb13u2 | deb | CVE-2025-15366 | Medium | wont-fix | N/A | The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | [] | pkg:deb/debian/python3.13-minimal@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=python3.13 |
| python3.13-minimal | 3.13.5-2+deb13u2 | deb | CVE-2025-15367 | Medium | wont-fix | N/A | The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | [] | pkg:deb/debian/python3.13-minimal@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libxml2 | 2.12.7+dfsg+really2.9.14-2.1+deb13u2 | deb | CVE-2026-0990 | Medium | wont-fix | N/A | A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications. | [] | pkg:deb/debian/libxml2@2.12.7%2Bdfsg%2Breally2.9.14-2.1%2Bdeb13u2?arch=amd64&distro=debian-13 |
| libmupdf25.1 | 1.25.1+ds1-6+deb13u1 | deb | CVE-2025-55780 | High | wont-fix | N/A | A null pointer dereference occurs in the function break_word_for_overflow_wrap() in MuPDF 1.26.4 when rendering a malformed EPUB document. Specifically, the function calls fz_html_split_flow() to split a FLOW_WORD node, but does not check if node->next is valid before accessing node->next->overflow_wrap, resulting in a crash if the split fails or returns a partial node chain. | [] | pkg:deb/debian/libmupdf25.1@1.25.1%2Bds1-6%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=mupdf |
| python3-mupdf | 1.25.1+ds1-6+deb13u1 | deb | CVE-2025-55780 | High | wont-fix | N/A | A null pointer dereference occurs in the function break_word_for_overflow_wrap() in MuPDF 1.26.4 when rendering a malformed EPUB document. Specifically, the function calls fz_html_split_flow() to split a FLOW_WORD node, but does not check if node->next is valid before accessing node->next->overflow_wrap, resulting in a crash if the split fails or returns a partial node chain. | [] | pkg:deb/debian/python3-mupdf@1.25.1%2Bds1-6%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=mupdf |
| bsdutils | 1:2.41-5 | deb | CVE-2026-3184 | Medium | wont-fix | N/A | A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. | [] | pkg:deb/debian/bsdutils@1%3A2.41-5?arch=amd64&distro=debian-13&upstream=util-linux%402.41-5 |
| libblkid1 | 2.41-5 | deb | CVE-2026-3184 | Medium | wont-fix | N/A | A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. | [] | pkg:deb/debian/libblkid1@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux |
| liblastlog2-2 | 2.41-5 | deb | CVE-2026-3184 | Medium | wont-fix | N/A | A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. | [] | pkg:deb/debian/liblastlog2-2@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux |
| libmount1 | 2.41-5 | deb | CVE-2026-3184 | Medium | wont-fix | N/A | A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. | [] | pkg:deb/debian/libmount1@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux |
| libsmartcols1 | 2.41-5 | deb | CVE-2026-3184 | Medium | wont-fix | N/A | A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. | [] | pkg:deb/debian/libsmartcols1@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux |
| libuuid1 | 2.41-5 | deb | CVE-2026-3184 | Medium | wont-fix | N/A | A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. | [] | pkg:deb/debian/libuuid1@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux |
| login | 1:4.16.0-2+really2.41-5 | deb | CVE-2026-3184 | Medium | wont-fix | N/A | A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. | [] | pkg:deb/debian/login@1%3A4.16.0-2%2Breally2.41-5?arch=amd64&distro=debian-13&upstream=util-linux%402.41-5 |
| mount | 2.41-5 | deb | CVE-2026-3184 | Medium | wont-fix | N/A | A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. | [] | pkg:deb/debian/mount@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux |
| util-linux | 2.41-5 | deb | CVE-2026-3184 | Medium | wont-fix | N/A | A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access. | [] | pkg:deb/debian/util-linux@2.41-5?arch=amd64&distro=debian-13 |
| libavahi-client3 | 0.8-16 | deb | CVE-2024-52616 | Medium | wont-fix | N/A | A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs. | [] | pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common-data | 0.8-16 | deb | CVE-2024-52616 | Medium | wont-fix | N/A | A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs. | [] | pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common3 | 0.8-16 | deb | CVE-2024-52616 | Medium | wont-fix | N/A | A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs. | [] | pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libcurl3t64-gnutls | 8.14.1-2+deb13u3 | deb | CVE-2026-1965 | Medium | wont-fix | N/A | libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API). | [] | pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libcurl4t64 | 8.14.1-2+deb13u3 | deb | CVE-2026-1965 | Medium | wont-fix | N/A | libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API). | [] | pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libssh2-1t64 | 1.11.1-1 | deb | CVE-2026-7598 | Medium | wont-fix | N/A | A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue. | [] | pkg:deb/debian/libssh2-1t64@1.11.1-1?arch=amd64&distro=debian-13&upstream=libssh2 |
| libcurl3t64-gnutls | 8.14.1-2+deb13u3 | deb | CVE-2026-7168 | Medium | wont-fix | N/A | Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:` header field meant for `proxyA`, to `proxyB`. | [] | pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libcurl4t64 | 8.14.1-2+deb13u3 | deb | CVE-2026-7168 | Medium | wont-fix | N/A | Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:` header field meant for `proxyA`, to `proxyB`. | [] | pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libc-bin | 2.41-12+deb13u3 | deb | CVE-2026-5928 | High | wont-fix | N/A | Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets. | [] | pkg:deb/debian/libc-bin@2.41-12%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=glibc |
| libc6 | 2.41-12+deb13u3 | deb | CVE-2026-5928 | High | wont-fix | N/A | Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets. | [] | pkg:deb/debian/libc6@2.41-12%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=glibc |
| libopenjp2-7 | 2.5.3-2.1~deb13u2 | deb | CVE-2023-39329 | Medium | wont-fix | N/A | A flaw was found in OpenJPEG. A resource exhaustion can occur in the opj_t1_decode_cblks function in tcd.c through a crafted image file, causing a denial of service. | [] | pkg:deb/debian/libopenjp2-7@2.5.3-2.1~deb13u2?arch=amd64&distro=debian-13&upstream=openjpeg2 |
| libavahi-client3 | 0.8-16 | deb | CVE-2024-52615 | Medium | wont-fix | N/A | A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected. | [] | pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common-data | 0.8-16 | deb | CVE-2024-52615 | Medium | wont-fix | N/A | A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected. | [] | pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common3 | 0.8-16 | deb | CVE-2024-52615 | Medium | wont-fix | N/A | A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected. | [] | pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libncursesw6 | 6.5+20250216-2 | deb | CVE-2025-6141 | Medium | wont-fix | N/A | A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component. | [] | pkg:deb/debian/libncursesw6@6.5%2B20250216-2?arch=amd64&distro=debian-13&upstream=ncurses |
| libtinfo6 | 6.5+20250216-2 | deb | CVE-2025-6141 | Medium | wont-fix | N/A | A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component. | [] | pkg:deb/debian/libtinfo6@6.5%2B20250216-2?arch=amd64&distro=debian-13&upstream=ncurses |
| ncurses-base | 6.5+20250216-2 | deb | CVE-2025-6141 | Medium | wont-fix | N/A | A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component. | [] | pkg:deb/debian/ncurses-base@6.5%2B20250216-2?arch=all&distro=debian-13&upstream=ncurses |
| ncurses-bin | 6.5+20250216-2 | deb | CVE-2025-6141 | Medium | wont-fix | N/A | A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component. | [] | pkg:deb/debian/ncurses-bin@6.5%2B20250216-2?arch=amd64&distro=debian-13&upstream=ncurses |
| libc-bin | 2.41-12+deb13u3 | deb | CVE-2026-5435 | High | wont-fix | N/A | The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records. | [] | pkg:deb/debian/libc-bin@2.41-12%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=glibc |
| libc6 | 2.41-12+deb13u3 | deb | CVE-2026-5435 | High | wont-fix | N/A | The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records. | [] | pkg:deb/debian/libc6@2.41-12%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=glibc |
| libcurl3t64-gnutls | 8.14.1-2+deb13u3 | deb | CVE-2025-14819 | Medium | wont-fix | N/A | When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. | [] | pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libcurl4t64 | 8.14.1-2+deb13u3 | deb | CVE-2025-14819 | Medium | wont-fix | N/A | When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not. | [] | pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| liblzma5 | 5.8.1-1 | deb | CVE-2026-34743 | Medium | wont-fix | N/A | XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3. | [] | pkg:deb/debian/liblzma5@5.8.1-1?arch=amd64&distro=debian-13&upstream=xz-utils |
| libxslt1.1 | 1.1.35-1.2+deb13u3 | deb | CVE-2025-11731 | Low | wont-fix | N/A | A flaw was found in the exsltFuncResultComp() function of libxslt, which handles EXSLT <func:result> elements during stylesheet parsing. Due to improper type handling, the function may treat an XML document node as a regular XML element node, resulting in a type confusion. This can cause unexpected memory reads and potential crashes. While difficult to exploit, the flaw could lead to application instability or denial of service. | [] | pkg:deb/debian/libxslt1.1@1.1.35-1.2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=libxslt |
| libpython3.13 | 3.13.5-2+deb13u2 | deb | CVE-2026-8328 | Medium | wont-fix | N/A | The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189. | [] | pkg:deb/debian/libpython3.13@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-minimal | 3.13.5-2+deb13u2 | deb | CVE-2026-8328 | Medium | wont-fix | N/A | The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189. | [] | pkg:deb/debian/libpython3.13-minimal@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-stdlib | 3.13.5-2+deb13u2 | deb | CVE-2026-8328 | Medium | wont-fix | N/A | The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189. | [] | pkg:deb/debian/libpython3.13-stdlib@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=python3.13 |
| python3.13 | 3.13.5-2+deb13u2 | deb | CVE-2026-8328 | Medium | wont-fix | N/A | The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189. | [] | pkg:deb/debian/python3.13@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13 |
| python3.13-minimal | 3.13.5-2+deb13u2 | deb | CVE-2026-8328 | Medium | wont-fix | N/A | The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189. | [] | pkg:deb/debian/python3.13-minimal@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libavahi-client3 | 0.8-16 | deb | CVE-2025-59529 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users. | [] | pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common-data | 0.8-16 | deb | CVE-2025-59529 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users. | [] | pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common3 | 0.8-16 | deb | CVE-2025-59529 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although `CLIENTS_MAX` is defined, `server_work()` unconditionally `accept()`s and `client_new()` always appends the new client and increments `n_clients`. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve `*.local.` names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket `/run/avahi-daemon/socket`, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users. | [] | pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-client3 | 0.8-16 | deb | CVE-2026-24401 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524. | [] | pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common-data | 0.8-16 | deb | CVE-2026-24401 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524. | [] | pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common3 | 0.8-16 | deb | CVE-2026-24401 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524. | [] | pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libpython3.13 | 3.13.5-2+deb13u2 | deb | CVE-2025-12781 | Medium | wont-fix | N/A | When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. | [] | pkg:deb/debian/libpython3.13@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-minimal | 3.13.5-2+deb13u2 | deb | CVE-2025-12781 | Medium | wont-fix | N/A | When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. | [] | pkg:deb/debian/libpython3.13-minimal@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-stdlib | 3.13.5-2+deb13u2 | deb | CVE-2025-12781 | Medium | wont-fix | N/A | When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. | [] | pkg:deb/debian/libpython3.13-stdlib@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=python3.13 |
| python3.13 | 3.13.5-2+deb13u2 | deb | CVE-2025-12781 | Medium | wont-fix | N/A | When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. | [] | pkg:deb/debian/python3.13@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13 |
| python3.13-minimal | 3.13.5-2+deb13u2 | deb | CVE-2025-12781 | Medium | wont-fix | N/A | When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. | [] | pkg:deb/debian/python3.13-minimal@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libcurl3t64-gnutls | 8.14.1-2+deb13u3 | deb | CVE-2026-3805 | High | wont-fix | N/A | When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory. | [] | pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libcurl4t64 | 8.14.1-2+deb13u3 | deb | CVE-2026-3805 | High | wont-fix | N/A | When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory. | [] | pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libcurl3t64-gnutls | 8.14.1-2+deb13u3 | deb | CVE-2026-5545 | Medium | wont-fix | N/A | libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. An application that first uses Negotiate authentication to a server with `user1:password1` and then does another operation to the same server asking for any authentication method but for `user2:password2` (while the previous connection is still alive) - the second request gets confused and wrongly reuses the same connection and sends the new request over that connection thinking it uses a mix of user1's and user2's credentials when it is in fact still using the connection authenticated for user1... | [] | pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libcurl4t64 | 8.14.1-2+deb13u3 | deb | CVE-2026-5545 | Medium | wont-fix | N/A | libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. An application that first uses Negotiate authentication to a server with `user1:password1` and then does another operation to the same server asking for any authentication method but for `user2:password2` (while the previous connection is still alive) - the second request gets confused and wrongly reuses the same connection and sends the new request over that connection thinking it uses a mix of user1's and user2's credentials when it is in fact still using the connection authenticated for user1... | [] | pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libcurl3t64-gnutls | 8.14.1-2+deb13u3 | deb | CVE-2025-14524 | Medium | wont-fix | N/A | When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. | [] | pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libcurl4t64 | 8.14.1-2+deb13u3 | deb | CVE-2025-14524 | Medium | wont-fix | N/A | When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. | [] | pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libmupdf25.1 | 1.25.1+ds1-6+deb13u1 | deb | CVE-2026-25556 | High | wont-fix | N/A | MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes. | [] | pkg:deb/debian/libmupdf25.1@1.25.1%2Bds1-6%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=mupdf |
| python3-mupdf | 1.25.1+ds1-6+deb13u1 | deb | CVE-2026-25556 | High | wont-fix | N/A | MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes. | [] | pkg:deb/debian/python3-mupdf@1.25.1%2Bds1-6%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=mupdf |
| tar | 1.35+dfsg-3.1 | deb | CVE-2026-5704 | Medium | wont-fix | N/A | A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection. | [] | pkg:deb/debian/tar@1.35%2Bdfsg-3.1?arch=amd64&distro=debian-13 |
| libcurl3t64-gnutls | 8.14.1-2+deb13u3 | deb | CVE-2026-6253 | Medium | wont-fix | N/A | curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say `http://`), curl is asked to follow a redirect to a URL using another scheme (say `https://`), accessed using a second, different, proxy | [] | pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libcurl4t64 | 8.14.1-2+deb13u3 | deb | CVE-2026-6253 | Medium | wont-fix | N/A | curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say `http://`), curl is asked to follow a redirect to a URL using another scheme (say `https://`), accessed using a second, different, proxy | [] | pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libpoppler147 | 25.03.0-5+deb13u2 | deb | CVE-2025-52885 | Medium | wont-fix | N/A | Poppler ia a library for rendering PDF files, and examining or modifying their structure. A use-after-free (write) vulnerability has been detected in versions Poppler prior to 25.10.0 within the StructTreeRoot class. The issue arises from the use of raw pointers to elements of a `std::vector`, which can lead to dangling pointers when the vector is resized. The vulnerability stems from the way that refToParentMap stores references to `std::vector` elements using raw pointers. These pointers may become invalid when the vector is resized. This vulnerability is a common security problem involving the use of raw pointers to `std::vectors`. Internally, `std::vector `stores its elements in a dynamically allocated array. When the array reaches its capacity and a new element is added, the vector reallocates a larger block of memory and moves all the existing elements to the new location. At this point if any pointers to elements are stored before a resize occurs, they become dangling pointers once the reallocation happens. Version 25.10.0 contains a patch for the issue. | [] | pkg:deb/debian/libpoppler147@25.03.0-5%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=poppler |
| libcurl3t64-gnutls | 8.14.1-2+deb13u3 | deb | CVE-2026-5773 | High | wont-fix | N/A | libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a network transfer operation that was requested by an application could wrongfully reuse an existing SMB connection to the same server that was using a different 'share' than the new subsequent transfer should. This could in unlucky situations lead to the download of the wrong file or the upload of a file to the wrong place. When this happens, the same credentials are used and the server name is the same. | [] | pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libcurl4t64 | 8.14.1-2+deb13u3 | deb | CVE-2026-5773 | High | wont-fix | N/A | libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a network transfer operation that was requested by an application could wrongfully reuse an existing SMB connection to the same server that was using a different 'share' than the new subsequent transfer should. This could in unlucky situations lead to the download of the wrong file or the upload of a file to the wrong place. When this happens, the same credentials are used and the server name is the same. | [] | pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libcurl3t64-gnutls | 8.14.1-2+deb13u3 | deb | CVE-2026-3784 | Medium | wont-fix | N/A | curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection. | [] | pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libcurl4t64 | 8.14.1-2+deb13u3 | deb | CVE-2026-3784 | Medium | wont-fix | N/A | curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection. | [] | pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libpython3.13 | 3.13.5-2+deb13u2 | deb | CVE-2026-1502 | Medium | wont-fix | N/A | CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. | [] | pkg:deb/debian/libpython3.13@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-minimal | 3.13.5-2+deb13u2 | deb | CVE-2026-1502 | Medium | wont-fix | N/A | CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. | [] | pkg:deb/debian/libpython3.13-minimal@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libpython3.13-stdlib | 3.13.5-2+deb13u2 | deb | CVE-2026-1502 | Medium | wont-fix | N/A | CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. | [] | pkg:deb/debian/libpython3.13-stdlib@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=python3.13 |
| python3.13 | 3.13.5-2+deb13u2 | deb | CVE-2026-1502 | Medium | wont-fix | N/A | CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. | [] | pkg:deb/debian/python3.13@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13 |
| python3.13-minimal | 3.13.5-2+deb13u2 | deb | CVE-2026-1502 | Medium | wont-fix | N/A | CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. | [] | pkg:deb/debian/python3.13-minimal@3.13.5-2%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=python3.13 |
| libavahi-client3 | 0.8-16 | deb | CVE-2025-68471 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart. | [] | pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common-data | 0.8-16 | deb | CVE-2025-68471 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart. | [] | pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common3 | 0.8-16 | deb | CVE-2025-68471 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart. | [] | pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libopenjp2-7 | 2.5.3-2.1~deb13u2 | deb | CVE-2023-39327 | Medium | wont-fix | N/A | A flaw was found in OpenJPEG. Maliciously constructed pictures can cause the program to enter a large loop and continuously print warning messages on the terminal. | [] | pkg:deb/debian/libopenjp2-7@2.5.3-2.1~deb13u2?arch=amd64&distro=debian-13&upstream=openjpeg2 |
| libcurl3t64-gnutls | 8.14.1-2+deb13u3 | deb | CVE-2026-3783 | Medium | wont-fix | N/A | When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one. | [] | pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libcurl4t64 | 8.14.1-2+deb13u3 | deb | CVE-2026-3783 | Medium | wont-fix | N/A | When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one. | [] | pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libcurl3t64-gnutls | 8.14.1-2+deb13u3 | deb | CVE-2026-6429 | Medium | wont-fix | N/A | When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances. | [] | pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libcurl4t64 | 8.14.1-2+deb13u3 | deb | CVE-2026-6429 | Medium | wont-fix | N/A | When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances. | [] | pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libavahi-client3 | 0.8-16 | deb | CVE-2025-68468 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes. | [] | pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common-data | 0.8-16 | deb | CVE-2025-68468 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes. | [] | pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common3 | 0.8-16 | deb | CVE-2025-68468 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes. | [] | pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libxslt1.1 | 1.1.35-1.2+deb13u3 | deb | CVE-2025-10911 | Medium | wont-fix | N/A | A use-after-free vulnerability was found in libxslt while parsing xsl nodes that may lead to the dereference of expired pointers and application crash. | [] | pkg:deb/debian/libxslt1.1@1.1.35-1.2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=libxslt |
| libexpat1 | 2.7.1-2 | deb | CVE-2026-41080 | High | wont-fix | N/A | libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document. | [] | pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat |
| libcurl3t64-gnutls | 8.14.1-2+deb13u3 | deb | CVE-2026-6276 | High | wont-fix | N/A | Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them. | [] | pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libcurl4t64 | 8.14.1-2+deb13u3 | deb | CVE-2026-6276 | High | wont-fix | N/A | Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them. | [] | pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libmupdf25.1 | 1.25.1+ds1-6+deb13u1 | deb | CVE-2026-7233 | Medium | wont-fix | N/A | A vulnerability was determined in Artifex MuPDF up to 1.28.0. The impacted element is the function fz_subset_cff_for_gids of the file subset-cff.c of the component CFF Index Handler. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through a bug report but has not responded yet. | [] | pkg:deb/debian/libmupdf25.1@1.25.1%2Bds1-6%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=mupdf |
| python3-mupdf | 1.25.1+ds1-6+deb13u1 | deb | CVE-2026-7233 | Medium | wont-fix | N/A | A vulnerability was determined in Artifex MuPDF up to 1.28.0. The impacted element is the function fz_subset_cff_for_gids of the file subset-cff.c of the component CFF Index Handler. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through a bug report but has not responded yet. | [] | pkg:deb/debian/python3-mupdf@1.25.1%2Bds1-6%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=mupdf |
| libc-bin | 2.41-12+deb13u3 | deb | CVE-2026-6238 | Medium | wont-fix | N/A | The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory. These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions. | [] | pkg:deb/debian/libc-bin@2.41-12%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=glibc |
| libc6 | 2.41-12+deb13u3 | deb | CVE-2026-6238 | Medium | wont-fix | N/A | The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory. These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions. | [] | pkg:deb/debian/libc6@2.41-12%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=glibc |
| libncursesw6 | 6.5+20250216-2 | deb | CVE-2025-69720 | High | wont-fix | N/A | The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c. | [] | pkg:deb/debian/libncursesw6@6.5%2B20250216-2?arch=amd64&distro=debian-13&upstream=ncurses |
| libtinfo6 | 6.5+20250216-2 | deb | CVE-2025-69720 | High | wont-fix | N/A | The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c. | [] | pkg:deb/debian/libtinfo6@6.5%2B20250216-2?arch=amd64&distro=debian-13&upstream=ncurses |
| ncurses-base | 6.5+20250216-2 | deb | CVE-2025-69720 | High | wont-fix | N/A | The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c. | [] | pkg:deb/debian/ncurses-base@6.5%2B20250216-2?arch=all&distro=debian-13&upstream=ncurses |
| ncurses-bin | 6.5+20250216-2 | deb | CVE-2025-69720 | High | wont-fix | N/A | The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c. | [] | pkg:deb/debian/ncurses-bin@6.5%2B20250216-2?arch=amd64&distro=debian-13&upstream=ncurses |
| libcairo2 | 1.18.4-1+b1 | deb | CVE-2025-50422 | Low | wont-fix | N/A | Cairo through 1.18.4, as used in Poppler through 25.08.0, has an "unscaled->face == NULL" assertion failure for _cairo_ft_unscaled_font_fini in cairo-ft-font.c. | [] | pkg:deb/debian/libcairo2@1.18.4-1%2Bb1?arch=amd64&distro=debian-13&upstream=cairo%401.18.4-1 |
| libexpat1 | 2.7.1-2 | deb | CVE-2026-45186 | High | not-fixed | N/A | In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input. | [] | pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat |
| bsdutils | 1:2.41-5 | deb | CVE-2026-27456 | Medium | wont-fix | N/A | util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. | [] | pkg:deb/debian/bsdutils@1%3A2.41-5?arch=amd64&distro=debian-13&upstream=util-linux%402.41-5 |
| libblkid1 | 2.41-5 | deb | CVE-2026-27456 | Medium | wont-fix | N/A | util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. | [] | pkg:deb/debian/libblkid1@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux |
| liblastlog2-2 | 2.41-5 | deb | CVE-2026-27456 | Medium | wont-fix | N/A | util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. | [] | pkg:deb/debian/liblastlog2-2@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux |
| libmount1 | 2.41-5 | deb | CVE-2026-27456 | Medium | wont-fix | N/A | util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. | [] | pkg:deb/debian/libmount1@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux |
| libsmartcols1 | 2.41-5 | deb | CVE-2026-27456 | Medium | wont-fix | N/A | util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. | [] | pkg:deb/debian/libsmartcols1@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux |
| libuuid1 | 2.41-5 | deb | CVE-2026-27456 | Medium | wont-fix | N/A | util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. | [] | pkg:deb/debian/libuuid1@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux |
| login | 1:4.16.0-2+really2.41-5 | deb | CVE-2026-27456 | Medium | wont-fix | N/A | util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. | [] | pkg:deb/debian/login@1%3A4.16.0-2%2Breally2.41-5?arch=amd64&distro=debian-13&upstream=util-linux%402.41-5 |
| mount | 2.41-5 | deb | CVE-2026-27456 | Medium | wont-fix | N/A | util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. | [] | pkg:deb/debian/mount@2.41-5?arch=amd64&distro=debian-13&upstream=util-linux |
| util-linux | 2.41-5 | deb | CVE-2026-27456 | Medium | wont-fix | N/A | util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4. | [] | pkg:deb/debian/util-linux@2.41-5?arch=amd64&distro=debian-13 |
| libxml2 | 2.12.7+dfsg+really2.9.14-2.1+deb13u2 | deb | CVE-2026-0989 | Low | wont-fix | N/A | A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk. | [] | pkg:deb/debian/libxml2@2.12.7%2Bdfsg%2Breally2.9.14-2.1%2Bdeb13u2?arch=amd64&distro=debian-13 |
| libcurl3t64-gnutls | 8.14.1-2+deb13u3 | deb | CVE-2026-4873 | Medium | wont-fix | N/A | A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS requirement and instead transmit data unencrypted. | [] | pkg:deb/debian/libcurl3t64-gnutls@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libcurl4t64 | 8.14.1-2+deb13u3 | deb | CVE-2026-4873 | Medium | wont-fix | N/A | A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS requirement and instead transmit data unencrypted. | [] | pkg:deb/debian/libcurl4t64@8.14.1-2%2Bdeb13u3?arch=amd64&distro=debian-13&upstream=curl |
| libxml2 | 2.12.7+dfsg+really2.9.14-2.1+deb13u2 | deb | CVE-2026-0992 | Low | wont-fix | N/A | A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition. | [] | pkg:deb/debian/libxml2@2.12.7%2Bdfsg%2Breally2.9.14-2.1%2Bdeb13u2?arch=amd64&distro=debian-13 |
| libopenjp2-7 | 2.5.3-2.1~deb13u2 | deb | CVE-2023-39328 | Medium | wont-fix | N/A | A vulnerability was found in OpenJPEG similar to CVE-2019-6988. This flaw allows an attacker to bypass existing protections and cause an application crash through a maliciously crafted file. | [] | pkg:deb/debian/libopenjp2-7@2.5.3-2.1~deb13u2?arch=amd64&distro=debian-13&upstream=openjpeg2 |
| libexpat1 | 2.7.1-2 | deb | CVE-2026-25210 | High | wont-fix | N/A | In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation. | [] | pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat |
| dirmngr | 2.4.7-21+deb13u1+b3 | deb | CVE-2026-24882 | High | wont-fix | N/A | In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. | [] | pkg:deb/debian/dirmngr@2.4.7-21%2Bdeb13u1%2Bb3?arch=amd64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1 |
| gnupg | 2.4.7-21+deb13u1 | deb | CVE-2026-24882 | High | wont-fix | N/A | In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. | [] | pkg:deb/debian/gnupg@2.4.7-21%2Bdeb13u1?arch=all&distro=debian-13&upstream=gnupg2 |
| gnupg-l10n | 2.4.7-21+deb13u1 | deb | CVE-2026-24882 | High | wont-fix | N/A | In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. | [] | pkg:deb/debian/gnupg-l10n@2.4.7-21%2Bdeb13u1?arch=all&distro=debian-13&upstream=gnupg2 |
| gpg | 2.4.7-21+deb13u1+b3 | deb | CVE-2026-24882 | High | wont-fix | N/A | In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. | [] | pkg:deb/debian/gpg@2.4.7-21%2Bdeb13u1%2Bb3?arch=amd64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1 |
| gpg-agent | 2.4.7-21+deb13u1+b3 | deb | CVE-2026-24882 | High | wont-fix | N/A | In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. | [] | pkg:deb/debian/gpg-agent@2.4.7-21%2Bdeb13u1%2Bb3?arch=amd64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1 |
| gpgconf | 2.4.7-21+deb13u1+b3 | deb | CVE-2026-24882 | High | wont-fix | N/A | In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. | [] | pkg:deb/debian/gpgconf@2.4.7-21%2Bdeb13u1%2Bb3?arch=amd64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1 |
| gpgsm | 2.4.7-21+deb13u1+b3 | deb | CVE-2026-24882 | High | wont-fix | N/A | In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. | [] | pkg:deb/debian/gpgsm@2.4.7-21%2Bdeb13u1%2Bb3?arch=amd64&distro=debian-13&upstream=gnupg2%402.4.7-21%2Bdeb13u1 |
| libavahi-client3 | 0.8-16 | deb | CVE-2026-34933 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4. | [] | pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common-data | 0.8-16 | deb | CVE-2026-34933 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4. | [] | pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common3 | 0.8-16 | deb | CVE-2026-34933 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4. | [] | pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| zlib1g | 1:1.3.dfsg+really1.3.1-1+b1 | deb | CVE-2026-27171 | Medium | wont-fix | N/A | zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition. | [] | pkg:deb/debian/zlib1g@1%3A1.3.dfsg%2Breally1.3.1-1%2Bb1?arch=amd64&distro=debian-13&upstream=zlib%401%3A1.3.dfsg%2Breally1.3.1-1 |
| libexpat1 | 2.7.1-2 | deb | CVE-2025-66382 | Medium | wont-fix | N/A | In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time. | [] | pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat |
| libavahi-client3 | 0.8-16 | deb | CVE-2025-68276 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves. | [] | pkg:deb/debian/libavahi-client3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common-data | 0.8-16 | deb | CVE-2025-68276 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves. | [] | pkg:deb/debian/libavahi-common-data@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libavahi-common3 | 0.8-16 | deb | CVE-2025-68276 | Medium | wont-fix | N/A | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves. | [] | pkg:deb/debian/libavahi-common3@0.8-16?arch=amd64&distro=debian-13&upstream=avahi |
| libexpat1 | 2.7.1-2 | deb | CVE-2026-32776 | Medium | wont-fix | N/A | libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content. | [] | pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat |
| libexpat1 | 2.7.1-2 | deb | CVE-2026-32778 | Medium | wont-fix | N/A | libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition. | [] | pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat |
| libexpat1 | 2.7.1-2 | deb | CVE-2026-32777 | Medium | wont-fix | N/A | libexpat before 2.7.5 allows an infinite loop while parsing DTD content. | [] | pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat |
| libpoppler147 | 25.03.0-5+deb13u2 | deb | CVE-2025-43718 | Low | wont-fix | N/A | Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption and a SIGSEGV via deeply nested structures within the metadata (such as GTS_PDFEVersion) of a PDF document, e.g., a regular expression for a long pdfsubver string. This occurs in Dict::lookup, Catalog::getMetadata, and associated functions in PDFDoc, with deep recursion in the regex executor (std::__detail::_Executor). | [] | pkg:deb/debian/libpoppler147@25.03.0-5%2Bdeb13u2?arch=amd64&distro=debian-13&upstream=poppler |
| libmupdf25.1 | 1.25.1+ds1-6+deb13u1 | deb | CVE-2026-40505 | Medium | wont-fix | N/A | MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to terminal output when running mutool info, enabling them to manipulate terminal display for social engineering attacks such as presenting fake prompts or spoofed commands. | [] | pkg:deb/debian/libmupdf25.1@1.25.1%2Bds1-6%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=mupdf |
| python3-mupdf | 1.25.1+ds1-6+deb13u1 | deb | CVE-2026-40505 | Medium | wont-fix | N/A | MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to terminal output when running mutool info, enabling them to manipulate terminal display for social engineering attacks such as presenting fake prompts or spoofed commands. | [] | pkg:deb/debian/python3-mupdf@1.25.1%2Bds1-6%2Bdeb13u1?arch=amd64&distro=debian-13&upstream=mupdf |
| libexpat1 | 2.7.1-2 | deb | CVE-2026-24515 | Low | wont-fix | N/A | In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data. | [] | pkg:deb/debian/libexpat1@2.7.1-2?arch=amd64&distro=debian-13&upstream=expat |
| libsystemd0 | 257.13-1~deb13u1 | deb | CVE-2026-40228 | Low | wont-fix | N/A | In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set. | [] | pkg:deb/debian/libsystemd0@257.13-1~deb13u1?arch=amd64&distro=debian-13&upstream=systemd |
| libudev1 | 257.13-1~deb13u1 | deb | CVE-2026-40228 | Low | wont-fix | N/A | In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a "logger -p emerg" command is executed, if ForwardToWall=yes is set. | [] | pkg:deb/debian/libudev1@257.13-1~deb13u1?arch=amd64&distro=debian-13&upstream=systemd |
| perl-base | 5.40.1-6 | deb | CVE-2026-8376 | Unknown | wont-fix | N/A | [] | pkg:deb/debian/perl-base@5.40.1-6?arch=amd64&distro=debian-13&upstream=perl |