newsThe portal itself — self-promo until real sponsors land
Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
25 results//sorted by published//last sync 2026-06-30 19:23Z
Subscribe to news →
CVE-2026-41326 — Katacontainers Confidential_containers: From v3.4.0 to v3.28.0, an oversight in the CopyFile policy (and perhaps the CopyFile
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. From v3.4.0 to v3.28.0, an oversight in the CopyFile policy (and perhaps the CopyFile handler) allows untrusted hosts to write to arbitrary locations inside the guest workload image. This can be used to overwrite binaries inside the guest and exfiltrate data from containers; even those running inside CVMs. This vulnerability is fi CVSSv3.1 8.2 (HIGH) · EPSS 5th percentile
8.2
CVSS v3.1
91
Edit Score
CVE-2026-41140 — Poetry: Prior to 2.3.4, the extractall() function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal
Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall() function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.data_filter is unavailable. Considering only Python versions which are still supported by Poetry, these are 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4. This vulnerability is fixed in 2.3.4. CVSSv3.1 8.7 (HIGH) · EPSS 19th percentile
8.7
CVSS v3.1
94
Edit Score
CVE-2026-6912 — Improperly: controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in
Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API call that sets the custom:deployment_admin attribute. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-6911 — JWT: Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT
Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the deployment's User Pool, via a crafted JWT sent to the API Gateway endpoint. To remediate this issue, users should redeploy from the updated repository and ensure any forked or deriva CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-40897 — Math: From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression
Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser. This vulnerability is fixed in 15.2.0. CVSSv3.1 8.8 (HIGH)
8.8
CVSS v3.1
94
Edit Score
CVE-2026-39920 — BridgeHead: FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2
BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service. CVSSv3.1 9.8 (CRITICAL)
9.8
CVSS v3.1
99
Edit Score
CVE-2026-31669 — Linux: In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix slab-use-after-free in __inet_lookup_established The ehash table lookups are lockless and rely on SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability during RCU read-side critical sections. Both tcp_prot and tcpv6_prot have their slab caches created with this flag via proto_register(). However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into tcpv6_prot_override during inet_init() (fs_i CVSSv3.1 9.8 (CRITICAL) · EPSS 9th percentile
9.8
CVSS v3.1
99
Edit Score
CVE-2026-31668 — Linux: In the Linux kernel, the following vulnerability has been resolved: seg6: separate dst_cache for
In the Linux kernel, the following vulnerability has been resolved: seg6: separate dst_cache for input and output paths in seg6 lwtunnel The seg6 lwtunnel uses a single dst_cache per encap route, shared between seg6_input_core() and seg6_output_core(). These two paths can perform the post-encap SID lookup in different routing contexts (e.g., ip rules matching on the ingress interface, or VRF table separation). Whichever path runs first populates the cache, and the other reu CVSSv3.1 9.8 (CRITICAL) · EPSS 7th percentile
9.8
CVSS v3.1
99
Edit Score
CVE-2026-31659 — Linux: In the Linux kernel, the following vulnerability has been resolved: batman-adv: reject oversized global
In the Linux kernel, the following vulnerability has been resolved: batman-adv: reject oversized global TT response buffers batadv_tt_prepare_tvlv_global_data() builds the allocation length for a global TT response in 16-bit temporaries. When a remote originator advertises a large enough global TT, the TT payload length plus the VLAN header offset can exceed 65535 and wrap before kmalloc(). The full-table response path still uses the original TT payload length when it fill CVSSv3.1 9.8 (CRITICAL) · EPSS 7th percentile
9.8
CVSS v3.1
99
Edit Score
CVE-2026-31657 — Linux: In the Linux kernel, the following vulnerability has been resolved: batman-adv: hold claim backbone
In the Linux kernel, the following vulnerability has been resolved: batman-adv: hold claim backbone gateways by reference batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer. The netlink claim dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access CVSSv3.1 9.8 (CRITICAL) · EPSS 7th percentile
9.8
CVSS v3.1
99
Edit Score
CVE-2026-31649 — Linux: On IOMMU-less SoCs (the typical deployment for stmmac), this maps arbitrary kernel memory to
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix integer underflow in chain mode The jumbo_frm() chain-mode implementation unconditionally computes len = nopaged_len - bmax; where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments): is_jumbo = stmmac_is_jumbo_frm(p CVSSv3.1 9.8 (CRITICAL) · EPSS 7th percentile
9.8
CVSS v3.1
99
Edit Score
CVE-2026-31637 — Linux: In the Linux kernel, the following vulnerability has been resolved: rxrpc: reject undecryptable rxkad
In the Linux kernel, the following vulnerability has been resolved: rxrpc: reject undecryptable rxkad response tickets rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then parses the buffer as plaintext without checking whether crypto_skcipher_decrypt() succeeded. A malformed RESPONSE can therefore use a non-block-aligned ticket length, make the decrypt operation fail, and still drive the ticket parser with attacker-controlled bytes. Check the decrypt result CVSSv3.1 9.8 (CRITICAL) · EPSS 5th percentile
9.8
CVSS v3.1
99
Edit Score
CVE-2026-31636 — Linux: Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh: BUG: KASAN: slab-out-of-bounds in rxgk_verify_response()
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix RESPONSE authenticator parser OOB read rxgk_verify_authenticator() copies auth_len bytes into a temporary buffer and then passes p + auth_len as the parser limit to rxgk_do_verify_authenticator(). Since p is a __be32 *, that inflates the parser end pointer by a factor of four and lets malformed RESPONSE authenticators read past the kmalloc() buffer. Decoded from the original latest-net reproduct CVSSv3.1 9.1 (CRITICAL) · EPSS 4th percentile
9.1
CVSS v3.1
96
Edit Score
CVE-2026-31633 — Linux: In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix integer overflow
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix integer overflow in rxgk_verify_response() In rxgk_verify_response(), there's a potential integer overflow due to rounding up token_len before checking it, thereby allowing the length check to be bypassed. Fix this by checking the unrounded value against len too (len is limited as the response must fit in a single UDP packet). CVSSv3.1 9.8 (CRITICAL) · EPSS 4th percentile
9.8
CVSS v3.1
99
Edit Score
CVE-2026-31631 — Linux: In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix buffer overread
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix buffer overread in rxgk_do_verify_authenticator() Fix rxgk_do_verify_authenticator() to check the buffer size before checking the nonce. CVSSv3.1 8.2 (HIGH) · EPSS 4th percentile
8.2
CVSS v3.1
91
Edit Score
CVE-2026-31629 — Linux: This results in a double release_sock() and a refcount underflow via double nfc_llcp_sock_put(), leading
In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: add missing return after LLCP_CLOSED checks In nfc_llcp_recv_hdlc() and nfc_llcp_recv_disc(), when the socket state is LLCP_CLOSED, the code correctly calls release_sock() and nfc_llcp_sock_put() but fails to return. Execution falls through to the remainder of the function, which calls release_sock() and nfc_llcp_sock_put() again. This results in a double release_sock() and a refcount underflow v CVSSv3.1 8.8 (HIGH) · EPSS 5th percentile
8.8
CVSS v3.1
94
Edit Score
CVE-2026-31622 — Linux: In the Linux kernel, the following vulnerability has been resolved: NFC: digital: Bounds check
In the Linux kernel, the following vulnerability has been resolved: NFC: digital: Bounds check NFC-A cascade depth in SDD response handler The NFC-A anti-collision cascade in digital_in_recv_sdd_res() appends 3 or 4 bytes to target->nfcid1 on each round, but the number of cascade rounds is controlled entirely by the peer device. The peer sets the cascade tag in the SDD_RES (deciding 3 vs 4 bytes) and the cascade-incomplete bit in the SEL_RES (deciding whether another round CVSSv3.1 8.8 (HIGH) · EPSS 5th percentile
8.8
CVSS v3.1
94
Edit Score
CVE-2026-31613 — Linux: In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix OOB reads parsing symlink error response When a CREATE returns STATUS_STOPPED_ON_SYMLINK, smb2_check_message() returns success without any length validation, leaving the symlink parsers as the only defense against an untrusted server. symlink_data() walks SMB 3.1.1 error contexts with the loop test "p < end", but reads p->ErrorId at offset 4 and p->ErrorDataLength at offset 0. When the se CVSSv3.1 8.1 (HIGH) · EPSS 5th percentile
8.1
CVSS v3.1
91
Edit Score
CVE-2026-31611 — Linux: In the Linux kernel, the following vulnerability has been resolved: ksmbd: require 3 sub-authorities
In the Linux kernel, the following vulnerability has been resolved: ksmbd: require 3 sub-authorities before reading sub_auth[2] parse_dacl() compares each ACE SID against sid_unix_NFS_mode and on match reads sid.sub_auth[2] as the file mode. If sid_unix_NFS_mode is the prefix S-1-5-88-3 with num_subauth = 2 then compare_sids() compares only min(num_subauth, 2) sub-authorities so a client SID with num_subauth = 2 and sub_auth = {88, 3} will match. If num_subauth = 2 and th CVSSv3.1 8.6 (HIGH) · EPSS 5th percentile
8.6
CVSS v3.1
93
Edit Score
CVE-2026-31609 — Linux: In the Linux kernel, the following vulnerability has been resolved: smb: client: avoid double-free
In the Linux kernel, the following vulnerability has been resolved: smb: client: avoid double-free in smbd_free_send_io() after smbd_send_batch_flush() smbd_send_batch_flush() already calls smbd_free_send_io(), so we should not call it again after smbd_post_send() moved it to the batch list. CVSSv3.1 9.8 (CRITICAL) · EPSS 4th percentile
9.8
CVSS v3.1
99
Edit Score
CVE-2026-31608 — Linux: In the Linux kernel, the following vulnerability has been resolved: smb: server: avoid double-free
In the Linux kernel, the following vulnerability has been resolved: smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list() smb_direct_flush_send_list() already calls smb_direct_free_sendmsg(), so we should not call it again after post_sendmsg() moved it to the batch list. CVSSv3.1 9.8 (CRITICAL) · EPSS 4th percentile
9.8
CVSS v3.1
99
Edit Score
CVE-2026-31607 — Linux: A malicious USB/IP server can set number_of_packets in the response to a value larger
In the Linux kernel, the following vulnerability has been resolved: usbip: validate number_of_packets in usbip_pack_ret_submit() When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU. This value is subsequently used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible array whose size was fixed at URB allocation time based on t CVSSv3.1 9.8 (CRITICAL) · EPSS 5th percentile
9.8
CVSS v3.1
99
Edit Score
CVE-2026-31589 — Linux: Otherwise, we've already removed the folio from the mapping so it no longer pins
In the Linux kernel, the following vulnerability has been resolved: mm: call ->free_folio() directly in folio_unmap_invalidate() We can only call filemap_free_folio() if we have a reference to (or hold a lock on) the mapping. Otherwise, we've already removed the folio from the mapping so it no longer pins the mapping and the mapping can be removed, causing a use-after-free when accessing mapping->a_ops. Follow the same pattern as __remove_mapping() and load the free_folio CVSSv3.1 9.8 (CRITICAL) · EPSS 5th percentile
9.8
CVSS v3.1
99
Edit Score
CVE-2026-31588 — Linux: This fixes a class of use-after-free bugs that occur when the emulator initiates a
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Use scratch field in MMIO fragment to hold small write values When exiting to userspace to service an emulated MMIO write, copy the to-be-written value to a scratch field in the MMIO fragment if the size of the data payload is 8 bytes or less, i.e. can fit in a single chunk, instead of pointing the fragment directly at the source value. This fixes a class of use-after-free bugs that occur when th CVSSv3.1 8.8 (HIGH) · EPSS 5th percentile
8.8
CVSS v3.1
94
Edit Score
CVE-2026-31570 — Linux: Confirmed with KASAN on linux-7.0-rc2: BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0 Read of size 1
In the Linux kernel, the following vulnerability has been resolved: can: gw: fix OOB heap access in cgw_csum_crc8_rel() cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx(): int from = calc_idx(crc8->from_idx, cf->len); int to = calc_idx(crc8->to_idx, cf->len); int res = calc_idx(crc8->result_idx, cf->len); if (from < 0 || to < 0 || res < 0) return; However, the loop and the result write then use the raw s8 fields directl CVSSv3.1 8.8 (HIGH) · EPSS 7th percentile
8.8
CVSS v3.1
94
Edit Score